Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Query SMB Version As Case Statement

    JeramyKopacko
    • Approved on
    • 0 Comments
    This will return all devices with SMB v1, 2, or 3 set SELECT name, type, key, data, CASE WHEN (name = 'SMB1' AND data = 1) THEN 'SMB Version 1' WHEN (name = 'SMB2' AND data = 1) THEN 'SMB Version 2' WHEN (name = 'SMB3' AND data = 1) THEN 'SMB Version...

  • Live Discover Query - Show the % free disk space

    Karl Ackerman
    • Approved on
    • 3 Comments
    REVIEWED by Sophos Often when a user complains about a device being slow or having problems the first thing to check is how much free disk space does the device have. You can use this to monitor the devices under management to determine if you should...

  • Live discover: How to check Windows updates Available or not installed

    Team Management Infrastructure Clients
    • Approved on
    • 6 Comments
    Hi friends, I've been trying create a query about how display all patches or windows updates available from a server. I tried this, but doesn't work: SELECT meta_hostname AS ep_name, hotfix_id, caption, description, FROM xdr_data WHERE query_name...

  • Find Domain Controllers

    j0hnV
    • Approved on
    • 0 Comments
    REVIEWED by Sophos SELECT os_version.name os_name, services.name, services.display_name, services.start_type, services.path, services.status, services.user_account FROM services JOIN os_version WHERE services.name = 'NTDS' To only find machines...

  • Add username to Windows Programs query

    Inactive MUZ
    • Approved on
    • 1 Comment
    Hello everyone, I need help with a simple query as I'm not well versed in SQL. Basically this is the query: SELECT name, version, install_location, install_source, publisher, install_date, identifying_number FROM programs Where name LIKE '%CAD%' ...

  • Check the Flaw in AMD Platform Security Processor, CVE-2021-26333

    RaviSoni
    • Approved on
    • 0 Comments
    The below query checks for the Flaw in the AMD PSP, CVE-2021-26333 if the system is vulnerable or not and print the appropriate message. -- Check the Flaw in AMD Platform Security Processor, CVE-2021-26333 SELECT CASE WHEN (SELECT 1 FROM cpu_info...

  • BitLocker Status

    MichaelCurtis
    • Approved on
    • 0 Comments
    REVIEWED by Sophos A query that will return the BitLocker status of an Endpoint SELECT device_id,drive_letter,percentage_encrypted, encryption_method, version, persistent_volume_id, CASE conversion_status WHEN 1 THEN 'Fully Encrypted' WHEN 2 THEN...

  • Live Discover Query - Virtual Devices

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Depending on the role of the user or device it might be worth exploring those computers that are running a virtual machine. This could be a computer on the network you don't have any visibility or control over that is being used by...

  • Live Discover Query - Minimum hardware check

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Given the advice in article 121027 regarding recommended hardware specifications. For example, Intercept X Advanced with EDR and MTR is: Disk space: 8 GB free RAM: 4 GB Cores: 2 The following query could be used to identify...

  • List Installed Deb Packages on Debian/Ubuntu Linux Serve

    benjm
    • Approved on
    • 0 Comments
    SELECT name "Package name", version "Package version", source "Package source", size "Package size in bytes", arch "Package architecture", revision "Package revision" FROM deb_packages

  • Check if certificates are about to expire in the next N days

    Karl_Ackerman
    • Approved on
    • 0 Comments
    REVIEWED by Sophos This query checks the certificates table and calculates if any certificates are going to be expiring in the next N days. If you are like me you have a story of when the business was impacted by some certificate expiring on a product...

  • Application Whitelist

    Sylvain_Roy
    • Approved on
    • 0 Comments
    Combined the idea of loading a CSV from a local file: https://community.sophos.com/intercept-x-endpoint/i/query-tips/load-a-local-csv-file-or-remote-csv-file-as-a-virtual-table to compare a list of applications against installed applications, as a...

  • OMIGOD Vulnerability | OMI version check

    Jainidhya Rajpal
    • Approved on
    • 0 Comments
    SELECT CASE WHEN version = '1.6.8.1' THEN 'OMI is Updated' ELSE 'Update OMI to 1.6.8.1' END AS OMIGODVersionCheck, name, version, release, source, sha1, arch FROM rpm_packages WHERE name = 'omi' UNION ALL SELECT CASE ...

  • Is there a way to check what applications are installed on MAC endpoints via Sophos Central?

    Subash Chandran
    • Approved on
    • 1 Comment
    Is there a way to check what applications are installed on MAC endpoints via Sophos Central? I can see queries to pull-out installed application list from Windows endpoints. Is there any query for MAC endpoints

  • Find machines with running Print Spooler service, or that could be

    j0hnV
    • Approved on
    • 1 Comment
    SELECT name, display_name, start_type, path, status, user_account, CASE WHEN status = 'RUNNING' THEN 'Stop service to end exposure to unpatched vulnerabilities inc. Print Nightmare' END AS SpoolerCheck, CASE WHEN start_type != 'Disabled' THEN 'Set Spooler...

  • Live Discover Query - CPU Usage (Weighted)

    AndyM
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...

  • Live Discover Query - General IT queries

    bazcurtis
    • Approved on
    • 3 Comments
    Hi, I have been looking at Live Discover and like the look of it. I am not an expert in Threat Hunting, but I was hoping I could use Live Discover to help me with my day to day IT tasks. I was thinking along the lines of the following. Machine is...

  • Check for conflicting windows security software

    j0hnV
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Customers confronted with unexplainable red statusses and installation/update issues were helped by this: ------- select * FROM windows_security_products WHERE name is not 'Windows Firewall' and name is not 'Microsoft Defender...

  • Live Discover Query - Location

    jak
    • Approved on
    • 2 Comments
    REVIEWED by Sophos This might be a little out there but you could look to locate all devices in the same physical location or had been in the same physical location or gather some data to locate a device should it be stolen. Windows maintains a list...

  • Check version of Notepad++ installed vs latest available

    AndrewMundell
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Followup to the Firefox query, repeating the process for Notepad++. SQL published at https://gist.github.com/andrewmundellsophos/17ea7cd7614fc61c3046e64586c4186b and pasted below: --Tested and working as of 2020-07...
Unfiltered HTML