Community & Product Forums
Intercept X Endpoint
Sophos (XG) Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Sophos Partners Group
Intercept X Endpoint
Release Notes & News
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
Sophos EDR Threat Hunting Framework
For more information on Live Discover, please check out our
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Browse Ideas in Category
By highest score
By recent status change
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
List Installed Deb Packages on Debian/Ubuntu Linux Serve
SELECT name "Package name", version "Package version", source "Package source", size "Package size in bytes", arch "Package architecture", revision "Package revision" FROM deb_packages
3 Nov 2021 6:05 PM
Retrieve Folder Size
I know you can get data back from files but is there a way to modify the OSQuery to get folder or directory information. Wanter to get Desktop and Document size. and convert if possible to MB.
16 Sep 2021 9:54 PM
EDR Query to list deleted files in a directory
Description We've been asked a few times if its possible to write a quick query to list files deleted in a particular directory. This query below is a modification of the existing File Access History Query to just show deleted files for a specified...
14 Jul 2021 1:01 PM
Complete, no data sent
Good Morning Sophos Fam, I'm just beginning to leverage SQL queries in the life of a Security Admin, and my question is when you receive a "Complete, no data sent" is it due to - The device doesn't match the query parameters? - Communication...
8 Jul 2021 6:35 PM
Show computer where exist specific file
hi all, I wanted to ask you if it is possible to make a query to show all computers where there is (or where there is not) a specific file. Thank you
17 Jun 2021 2:42 PM
"Looping" through list in Live Query
Good afternoon! I am working on a query where I would like to essentially perform a "For Each Loop" on the results. I am not sure what the SQL equivalent is. Can someone assist me and/or direct me to the proper syntax? Based on the following...
22 Jun 2021 3:55 AM
Help Required to Run Query !
Hi Guys, I'm running a query to check recent any connect vulnerability, I'm not sure if SQL query read inside the XML file ? i have to search a specific word in xml file can anyone help me in that ? or just point to me in right direction. Thanks
22 Jun 2021 3:53 AM
Query A Specific File Path for Items and Compare File Scoring
## Use descriptive name “filepath” as variableType “File Path” SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime') AS Last_Accessed, datetime(f...
22 Jun 2021 3:54 AM
Query Changes In User Directory
##Set date as variable date and choose a timestamp: SELECT filename, (size / 1024) AS Kb, path, datetime(mtime,'unixepoch','localtime') Modifiedtime FROM file WHERE (Modifiedtime > $$date$$ AND filename != '.') AND (path LIKE 'C:\Users...
22 Jun 2021 3:51 AM
Search subfolders for a specific filename or extension.
Useful query to search entire subfolders for a specific extension or a filename. Supports wildcards in path and filename. SELECT path, directory, filename, device, size FROM file WHERE directory LIKE 'C:\users\%\desktop%%' AND filename LIKE '%%.exe...
22 Jun 2021 3:49 AM
Excluding Hashes from various scans
Hello all I am running a number of scans including but not limited to "Unsigned applications that were run" which I believe I got from this site. I find the results to be extremely "busy" with so many pages it is almost unusable (155). I am looking...
22 Jun 2021 3:48 AM
How can I adjust this query so that it uses a list of items instead of just one file?
I assume that searching for a list of files at once would be faster than searching for each file individually. So, how can I adjust this query so that it uses a list of items instead of just one file? --- Descriptive name Variable type SQL Variable...
22 Jun 2021 3:47 AM
File information for file deleted by Sophos A/V
Hi I cannot find a table which lists files that have been deleted by the A/V scan due to detected malware. I'm trying to find the file's date time stamp and file size. I've tried the sophos_file_journal table but it doesn't include the files that...
22 Jun 2021 3:17 AM
query required : Change in software state (Version) between two dates
Hi Team, Do you have query to keep the state or version changes of all the softwire installed between 2 dates. lets say, i have current chrome installed on 17/11/20 as x.x.x.x and on 18/ 11/20 it changed to x.x.x.y. So if query the version...
22 Jun 2021 3:14 AM
Stories from the Front Line - Finding files modified by ransomware
REVIEWED by Sophos The Sophos Incident Response team is often very busy, today I checked in on some of their current efforts to help accounts respond to active breaches and lent a hand with a query. An account had ransomware hit some unprotected devices...
22 Jun 2021 3:45 AM
Live Discover Query + Response in combination for file source investigation
REVIEWED by Sophos I'm not aware that the current version of Live Query at least on Windows can obtain the equivalent of extended attributes of a file. That said, if you see a file you would like some more information on, i.e. the download source of...
22 Jun 2021 2:57 AM
Live Discover Query: Common productivity files (documents/pictures) that were deleted or modified in the last 24 hours
REVIEWED by Sophos This query generates a list of the file delete and modifiications by process and user for the last 24 hours. It can take some time to run but does what it says. /*************************************************** divided 24 hours...
22 Jun 2021 3:41 AM
Live Discover Query - Ransom note discovery?
REVIEWED by Sophos I'm not sure if this would work, or even how much merit there is in trying but here goes anyway. Ransomware, to the best of my limited knowledge, tends to add some sort of instruction file to an obvious location such as the user...
22 Jun 2021 2:52 AM
Advanced Query - Get ALL filesystem activity for 1 min from an hour ago
REVIEWED by Sophos Here at Sophos we are working on dozens of additional queries and would like your input. If you have a query you would like to see created or you have one you've been working on and want input from the community please just ask...
22 Jun 2021 2:43 AM