Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Find Domain Controllers

    • Approved on
    • 0 Comments
    REVIEWED by Sophos SELECT os_version.name os_name, services.name, services.display_name, services.start_type, services.path, services.status, services.user_account FROM services JOIN os_version WHERE services.name = 'NTDS' To only find machines...
  • Live Discover Query - Show the % free disk space

    • Approved on
    • 3 Comments
    REVIEWED by Sophos Often when a user complains about a device being slow or having problems the first thing to check is how much free disk space does the device have. You can use this to monitor the devices under management to determine if you should...
  • Add username to Windows Programs query

    • Approved on
    • 1 Comment
    Hello everyone, I need help with a simple query as I'm not well versed in SQL. Basically this is the query: SELECT name, version, install_location, install_source, publisher, install_date, identifying_number FROM programs Where name LIKE '%CAD%'...
  • Live Discover Query - Virtual Devices

    • Approved on
    • 1 Comment
    REVIEWED by Sophos Depending on the role of the user or device it might be worth exploring those computers that are running a virtual machine. This could be a computer on the network you don't have any visibility or control over that is being used...
  • Check the Flaw in AMD Platform Security Processor, CVE-2021-26333

    • Approved on
    • 0 Comments
    The below query checks for the Flaw in the AMD PSP, CVE-2021-26333 if the system is vulnerable or not and print the appropriate message. -- Check the Flaw in AMD Platform Security Processor, CVE-2021-26333 SELECT CASE WHEN (SELECT 1 FROM cpu_info...
  • BitLocker Status

    • Approved on
    • 0 Comments
    REVIEWED by Sophos A query that will return the BitLocker status of an Endpoint SELECT device_id,drive_letter,percentage_encrypted, encryption_method, version, persistent_volume_id, CASE conversion_status WHEN 1 THEN 'Fully Encrypted' WHEN 2 THEN...
  • Live Discover Query - Minimum hardware check

    • Approved on
    • 1 Comment
    REVIEWED by Sophos Given the advice in article 121027 regarding recommended hardware specifications. For example, Intercept X Advanced with EDR and MTR is: Disk space: 8 GB free RAM: 4 GB Cores: 2 The following query could be used to identify...
  • List Installed Deb Packages on Debian/Ubuntu Linux Serve

    • Approved on
    • 0 Comments
    SELECT name "Package name", version "Package version", source "Package source", size "Package size in bytes", arch "Package architecture", revision "Package revision" FROM deb_packages
  • Check if certificates are about to expire in the next N days

    • Approved on
    • 0 Comments
    REVIEWED by Sophos This query checks the certificates table and calculates if any certificates are going to be expiring in the next N days. If you are like me you have a story of when the business was impacted by some certificate expiring on a product...
  • OMIGOD Vulnerability | OMI version check

    • Approved on
    • 0 Comments
    SELECT CASE WHEN version = '1.6.8.1' THEN 'OMI is Updated' ELSE 'Update OMI to 1.6.8.1' END AS OMIGODVersionCheck, name, version, release, source, sha1, arch FROM rpm_packages WHERE name = 'omi' UNION ALL SELECT CASE ...
  • Live Discover Query - BitLocker

    • Approved on
    • 1 Comment
    REVIEWED by Sophos The first query will show for Windows devices if any drive has been encrypted using BitLocker: select drive_letter as "Drive Letter", case protection_status when "1" then "ENABLED" else "DISABLED" end "Protection Status", encryption_method...
  • Find machines with running Print Spooler service, or that could be

    • Approved on
    • 1 Comment
    SELECT name, display_name, start_type, path, status, user_account, CASE WHEN status = 'RUNNING' THEN 'Stop service to end exposure to unpatched vulnerabilities inc. Print Nightmare' END AS SpoolerCheck, CASE WHEN start_type != 'Disabled' THEN 'Set Spooler...
  • Live Discover Query - CPU Usage (Weighted)

    • Approved on
    • 0 Comments
    REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...
  • Live Discover Query - General IT queries

    • Approved on
    • 3 Comments
    Hi, I have been looking at Live Discover and like the look of it. I am not an expert in Threat Hunting, but I was hoping I could use Live Discover to help me with my day to day IT tasks. I was thinking along the lines of the following. Machine...
  • Application Whitelist

    • Approved on
    • 0 Comments
    Combined the idea of loading a CSV from a local file: https://community.sophos.com/intercept-x-endpoint/i/query-tips/load-a-local-csv-file-or-remote-csv-file-as-a-virtual-table to compare a list of applications against installed applications, as...
  • Check for conflicting windows security software

    • Approved on
    • 1 Comment
    REVIEWED by Sophos Customers confronted with unexplainable red statusses and installation/update issues were helped by this: ------- select * FROM windows_security_products WHERE name is not 'Windows Firewall' and name is not 'Microsoft Defender...
  • Live Discover Query - Location

    • Approved on
    • 2 Comments
    REVIEWED by Sophos This might be a little out there but you could look to locate all devices in the same physical location or had been in the same physical location or gather some data to locate a device should it be stolen. Windows maintains a list...
  • Check version of Notepad++ installed vs latest available

    • Approved on
    • 0 Comments
    REVIEWED by Sophos Followup to the Firefox query, repeating the process for Notepad++. SQL published at https://gist.github.com/andrewmundellsophos/17ea7cd7614fc61c3046e64586c4186b and pasted below: --Tested and working as of 2020-07...
  • Query to collect Serial Numbers of computers

    • Approved on
    • 2 Comments
    Can someone help me. I need collect serial numbers of computers with sophos agent installed.
  • Examine for a specific driver vendor type and version

    • Approved on
    • 3 Comments
    Given the recent news about Nvidia GPU driver kernel escalation bugs, I would like to know if it is possible to search for drivers with the following; Use a variable to examine for a single driver like nvidia. report the version of the driver....