Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Add username to Windows Programs query

    Magomed Uzuyev
    • Under Review
    • 1 Comment
    Hello everyone, I need help with a simple query as I'm not well versed in SQL. Basically this is the query: SELECT name, version, install_location, install_source, publisher, install_date, identifying_number FROM programs Where name LIKE '%CAD%'...
    • 23 Jun 2021 4:20 AM

  • Finding the Sophos Machine ID

    AndyM
    • Under Review
    • 1 Comment
    Each device managed by Sophos has a unique machineID. This is created at the time of installation. There are some scenarios where it's useful to be able to search for a unique machineID, or a collection of them. -- Name: List Sophos Machine IDs ...
    • 23 Jun 2021 4:19 AM

  • query with windows 10 updates

    Victor Domingo
    • Under Review
    • 6 Comments
    hello friends, someone knows how to check the pending updates of windows 10. thanks
    • 23 Jun 2021 4:19 AM

  • Generic Network activity search (Windows)

    Karl_Ackerman
    • Approved
    • 0 Comments
    This query provides a generic search for IP address and port information Descriptive name Variable Type Notes Begin Search on date $$Begin Search on date$$ DATE Provide a start date for the search Hours to Search $$Hours...
    • 23 Jun 2021 4:19 AM

  • Sophos Reboot required

    MichaelCurtis
    • Approved
    • 0 Comments
    This will query if the Sophos reboot key is set and a Sophos reboot is required to complete an update WITH RebootEvidence(evidence) AS ( SELECT CAST(group_concat(path, CHAR(10)) AS TEXT) FROM registry WHERE path = 'HKEY_LOCAL_MACHINE...
    • 23 Jun 2021 4:19 AM

  • Asset Discovery Query

    Paul Lawrence
    • Approved
    • 0 Comments
    The below query will use the arp_cache table from the devices specified, take the MAC Address information from the results and send that via CURL to an API ( https://macvendors.com/api ) to pull in vendor information for the MAC addresses as another...
    • 23 Jun 2021 4:18 AM

  • Device Activity (Multiple queries in one)

    Karl_Ackerman
    • Approved
    • 0 Comments
    As a threat hunter it is critical to get oriented quickly. When you have a device that has suspect activity on it and the threat hunter is still exploring what is happening they want a lot of different information about the device. This information is...
    • 23 Jun 2021 4:15 AM

  • Gather System Information

    JeramyKopacko
    • Under Review
    • 2 Comments
    This query can be used for general IT. Perhaps a organization is considering new software or to compare serial numbers for warranty. SELECT uuid, hardware_serial, hostname, cpu_subtype, cpu_brand, printf("%.2f", CAST(system_info.physical_memory AS...
    • 23 Jun 2021 4:15 AM

  • Check if certificates are about to expire in the next N days

    Karl_Ackerman
    • Under Review
    • 0 Comments
    REVIEWED by Sophos This query checks the certificates table and calculates if any certificates are going to be expiring in the next N days. If you are like me you have a story of when the business was impacted by some certificate expiring on a product...
    • 23 Jun 2021 4:14 AM

  • Check version of Notepad++ installed vs latest available

    AndrewMundell
    • Under Review
    • 0 Comments
    REVIEWED by Sophos Followup to the Firefox query, repeating the process for Notepad++. SQL published at https://gist.github.com/andrewmundellsophos/17ea7cd7614fc61c3046e64586c4186b and pasted below: --Tested and working as of 2020-07...
    • 23 Jun 2021 4:14 AM

  • Find Domain Controllers

    j0hnV
    • Under Review
    • 0 Comments
    REVIEWED by Sophos SELECT os_version.name os_name, services.name, services.display_name, services.start_type, services.path, services.status, services.user_account FROM services JOIN os_version WHERE services.name = 'NTDS' To only find machines...
    • 23 Jun 2021 4:14 AM

  • List software installed between two dates

    MichaelCurtis
    • Under Review
    • 1 Comment
    REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...
    • 23 Jun 2021 4:13 AM

  • Check for conflicting windows security software

    j0hnV
    • Under Review
    • 1 Comment
    REVIEWED by Sophos Customers confronted with unexplainable red statusses and installation/update issues were helped by this: ------- select * FROM windows_security_products WHERE name is not 'Windows Firewall' and name is not 'Microsoft Defender...
    • 23 Jun 2021 4:13 AM

  • Check version of Firefox installed vs latest available

    AndrewMundell
    • Under Review
    • 0 Comments
    REVIEWED by Sophos A quick and dirty query leveraging curl to get the latest version of Firefox from Mozilla.org and compare to the installed version. Uses curl a bit too much, but I'm having trouble using "with" clauses and parsing that result,...
    • 23 Jun 2021 4:13 AM

  • BitLocker Status

    MichaelCurtis
    • Under Review
    • 0 Comments
    REVIEWED by Sophos A query that will return the BitLocker status of an Endpoint SELECT device_id,drive_letter,percentage_encrypted, encryption_method, version, persistent_volume_id, CASE conversion_status WHEN 1 THEN 'Fully Encrypted' WHEN 2 THEN...
    • 23 Jun 2021 4:12 AM

  • Simple query to audit Microsoft RDP enablement status (from registry)

    AndrewMundell
    • Approved
    • 0 Comments
    REVIEWED by Sophos Just a quick query to audit the state of MS RDP via the registry, uncomment (remove the 2 leading '--' from the last line) to return only machines where RDP is enabled. SELECT CASE WHEN data = 0 then 'RDP Enabled' WHEN data...
    • 23 Jun 2021 4:12 AM

  • Live Discover Query - CPU Usage (Weighted)

    AndyM
    • Approved
    • 0 Comments
    REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...
    • 23 Jun 2021 4:11 AM

  • Live Discover Query - General IT queries

    bazcurtis
    • Approved
    • 3 Comments
    Hi, I have been looking at Live Discover and like the look of it. I am not an expert in Threat Hunting, but I was hoping I could use Live Discover to help me with my day to day IT tasks. I was thinking along the lines of the following. Machine...
    • 23 Jun 2021 4:11 AM

  • Live Discover Query - Location

    jak
    • Approved
    • 2 Comments
    REVIEWED by Sophos This might be a little out there but you could look to locate all devices in the same physical location or had been in the same physical location or gather some data to locate a device should it be stolen. Windows maintains a list...
    • 23 Jun 2021 4:11 AM

  • Live Discover Query - Show the % free disk space

    Karl Ackerman
    • Approved
    • 3 Comments
    REVIEWED by Sophos Often when a user complains about a device being slow or having problems the first thing to check is how much free disk space does the device have. You can use this to monitor the devices under management to determine if you should...
    • 23 Jun 2021 4:10 AM
Unfiltered HTML