Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos (XG) Firewall
Sophos Central
UTM Firewall
Sophos Mobile
Sophos Wireless
Sophos Email
Community Chat
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Visit docs.sophos.com
Support Portal
Sophos.com
More
Cancel
Intercept X Endpoint
Events
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Login Failed attempts Query For WINDOWS
Danish
Under Review
2 Comments
Hello Sophos Community, Ive been trying to find login failed attempts query for my threat hunting environment. I have search from github but no findings . Can anyone share with me the query please .
22 Jun 2021 3:46 AM
RDP Enrichment with AbuseIPDB Data
Kris Wayman
Under Review
0 Comments
This is a great query to start enriching RDP telemetry from your environment. You will need to sign up for an account with AbuseIPDB ( https://www.abuseipdb.com/ ) and generate an API key to call in the query below. -- YOU NEED TO EDIT THIS AND ADD...
22 Jun 2021 3:16 AM
When was the last scan completed on the endpoint
Karl_Ackerman
Approved
0 Comments
Simple query to read the registry for the sophos scan status. SELECT substr(data, 1,4) YEAR, CASE CAST(substr(data, 5,2) AS INT) WHEN 1 THEN 'January' WHEN 2 THEN 'February' WHEN 3 THEN 'March' WHEN 4 THEN 'April' WHEN 5 THEN 'May...
22 Jun 2021 3:31 AM
Remote Desktop | Terminal Services - Query server for brute force logins and geolocate where those logins are coming from.
Brian Ritchie
Under Review
0 Comments
These 2 queries were developed to assist with running checks on RDP or Terminal servers run on Windows Server. They typically have port 3389 open and are vulnerable to brute force attacks. This is the most popular and easiest manner that hackers gain...
22 Jun 2021 3:11 AM
Retrieve user creation/deletion and password reset events from the sophos_windows_events table
Marcel
Under Review
0 Comments
This query retrieves account creation, deletion and password reset events under Windows. You can specify the number of days you want to go back, which is specified in the variable Days (string). SELECT datetime(swe.time,'unixepoch') Date_Time, json_extract...
22 Jun 2021 3:10 AM
Another Story from the Front Line: Has CobaltStrike or PowerShellEmpire been installing services on the device
Karl_Ackerman
Under Review
0 Comments
REVIEWED by Sophos Like the earlier post we are often helping an account after they have been breached and are needing to deploy InterceptX with EDR on devices that where breached. In these situations we can't depend on the Sophos Journals for...
22 Jun 2021 3:09 AM
What if I installed after the breach happened? Hunting through windows event logs
Karl_Ackerman
Under Review
0 Comments
REVIEWED by Sophos If you are in a situation where you installed the CIXA-EDR product after a breach has already happened or is underway you will not have any of the sophos journals to hunt through for how the breach happened. Without the recorded...
22 Jun 2021 3:07 AM
List of RDP Sessions in last N Days
Karl_Ackerman
Under Review
0 Comments
REVIEWED by Sophos This query takes a variable called 'Days to look back from now' and searches the windows event logs for evenit ID 1149 then uses JSON extract to get the username and remote IP address info for the remote terminal sessions. SELECT...
22 Jun 2021 3:07 AM
Live Discover Query - History of Safe Mode system startup
Karl_Ackerman
Under Review
1 Comment
REVIEWED by Sophos We want a query to list the boot history of the device and if the boot was into safemode or not. SELECT CAST(datetime(time, 'unixepoch') AS TEXT) AS 'System Startup Date-Time', CASE JSON_EXTRACT(data, '$.EventData.BootMode') WHEN...
22 Jun 2021 3:40 AM
Live Discover Query - Brute Force Activity
Jordon Carpenter
Under Review
1 Comment
REVIEWED by Sophos Here is a query to identify activity that resembles brute force activity: SELECT eventid, JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS subject_username, JSON_EXTRACT(data, '$.EventData.SubjectDomainName') AS subject_domain...
22 Jun 2021 2:56 AM
Help on creating event log query
GiovanniGiovannelli
Under Review
2 Comments
Hi, please can you help me in creating a query for extracting the last # events of Windows Application event log? Thanks Giovanni
22 Jun 2021 3:34 AM
Live Discover Query - RDP history
jak
Under Review
5 Comments
REVIEWED by Sophos As RDP is always a hot topic in the world of security, it might be helpful to gain a report of perhaps who is connecting to where. The default RDP client, mstsc.exe maintains a history of the computers connected to under the following...
22 Jun 2021 3:37 AM