Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Sophos Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
More
Cancel
Sophos Endpoint
Files
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Sophos Endpoint requires membership for participation - click to join
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Search subfolders for a specific filename or extension.
Genc Kelmendi
Approved on
18 May 2022
1 Comment
Useful query to search entire subfolders for a specific extension or a filename. Supports wildcards in path and filename. SELECT path, directory, filename, device, size FROM file WHERE directory LIKE 'C:\users\%\desktop%%' AND filename LIKE '%%.exe...
11 Apr 2021 2:34 PM
Stories from the Front Line - Finding files modified by ransomware
Karl_Ackerman
Approved on
18 May 2022
0 Comments
REVIEWED by Sophos The Sophos Incident Response team is often very busy, today I checked in on some of their current efforts to help accounts respond to active breaches and lent a hand with a query. An account had ransomware hit some unprotected devices...
12 Aug 2020 3:09 PM
Query A Specific File Path for Items and Compare File Scoring
JeramyKopacko
Approved on
18 May 2022
0 Comments
## Use descriptive name “filepath” as variableType “File Path” SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime') AS Last_Accessed, datetime(f...
6 May 2021 9:35 PM
Retrieve Folder Size
Connor Rosenthal
Approved on
18 May 2022
1 Comment
I know you can get data back from files but is there a way to modify the OSQuery to get folder or directory information. Wanter to get Desktop and Document size. and convert if possible to MB.
16 Sep 2021 9:54 PM
Live Discover Query: Common productivity files (documents/pictures) that were deleted or modified in the last 24 hours
Karl_Ackerman
Approved on
18 May 2022
1 Comment
REVIEWED by Sophos This query generates a list of the file delete and modifiications by process and user for the last 24 hours. It can take some time to run but does what it says. /*************************************************** divided 24 hours...
7 May 2020 8:06 PM
Advanced Query - Get ALL filesystem activity for 1 min from an hour ago
Karl_Ackerman
Approved on
18 May 2022
0 Comments
REVIEWED by Sophos Here at Sophos we are working on dozens of additional queries and would like your input. If you have a query you would like to see created or you have one you've been working on and want input from the community please just ask...
10 Apr 2020 2:57 PM
File information for file deleted by Sophos A/V
Jeremy Lloyd1
Approved on
18 May 2022
6 Comments
Hi I cannot find a table which lists files that have been deleted by the A/V scan due to detected malware. I'm trying to find the file's date time stamp and file size. I've tried the sophos_file_journal table but it doesn't include the files that...
9 Mar 2021 1:04 PM
EDR Query to list deleted files in a directory
RogerNeal
Approved on
18 May 2022
0 Comments
Description We've been asked a few times if its possible to write a quick query to list files deleted in a particular directory. This query below is a modification of the existing File Access History Query to just show deleted files for a specified...
14 Jul 2021 12:59 PM
Live Discover Query - Ransom note discovery?
jak
Approved on
18 May 2022
6 Comments
REVIEWED by Sophos I'm not sure if this would work, or even how much merit there is in trying but here goes anyway. Ransomware, to the best of my limited knowledge, tends to add some sort of instruction file to an obvious location such as the user...
23 Apr 2020 11:05 PM
How can I adjust this query so that it uses a list of items instead of just one file?
Brian Dake
Approved on
18 May 2022
2 Comments
I assume that searching for a list of files at once would be faster than searching for each file individually. So, how can I adjust this query so that it uses a list of items instead of just one file? --- Descriptive name Variable type SQL Variable...
18 Mar 2021 10:00 PM
List Office Macro documents touched on a client computer (from Data Lake)
LHerzog
Under Review on
9 Dec 2021
4 Comments
Hi, this Data Lake query finds all Office Documents by file name in a given time frame and on specific host or all hosts (wildcard) and only those, that have not been touched by a specific process (e.g. dropbox.exe) Unfortunately it does not find...
9 Dec 2021 4:28 PM
Excluding Hashes from various scans
Gerald Szakal1
Approved on
18 May 2022
3 Comments
Hello all I am running a number of scans including but not limited to "Unsigned applications that were run" which I believe I got from this site. I find the results to be extremely "busy" with so many pages it is almost unusable (155). I am looking...
23 Mar 2021 4:48 PM