Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • List Installed Deb Packages on Debian/Ubuntu Linux Serve

    benjm
    • Under Review
    • 0 Comments
    SELECT name "Package name", version "Package version", source "Package source", size "Package size in bytes", arch "Package architecture", revision "Package revision" FROM deb_packages
    • 3 Nov 2021 6:05 PM

  • Retrieve Folder Size

    Connor Rosenthal
    • Under Review
    • 1 Comment
    I know you can get data back from files but is there a way to modify the OSQuery to get folder or directory information. Wanter to get Desktop and Document size. and convert if possible to MB.
    • 16 Sep 2021 9:54 PM

  • EDR Query to list deleted files in a directory

    RogerNeal
    • Under Review
    • 0 Comments
    Description We've been asked a few times if its possible to write a quick query to list files deleted in a particular directory. This query below is a modification of the existing File Access History Query to just show deleted files for a specified...
    • 14 Jul 2021 1:01 PM

  • Complete, no data sent

    Billiam N
    • Under Review
    • 0 Comments
    Good Morning Sophos Fam, I'm just beginning to leverage SQL queries in the life of a Security Admin, and my question is when you receive a "Complete, no data sent" is it due to - The device doesn't match the query parameters? - Communication...
    • 8 Jul 2021 6:35 PM

  • Show computer where exist specific file

    Luc_GLLM
    • Under Review
    • 1 Comment
    hi all, I wanted to ask you if it is possible to make a query to show all computers where there is (or where there is not) a specific file. Thank you
    • 17 Jun 2021 2:42 PM

  • "Looping" through list in Live Query

    Kyle Parrish
    • Under Review
    • 8 Comments
    Good afternoon! I am working on a query where I would like to essentially perform a "For Each Loop" on the results. I am not sure what the SQL equivalent is. Can someone assist me and/or direct me to the proper syntax? Based on the following...
    • 22 Jun 2021 3:55 AM

  • Help Required to Run Query !

    Iron man
    • Under Review
    • 2 Comments
    Hi Guys, I'm running a query to check recent any connect vulnerability, I'm not sure if SQL query read inside the XML file ? i have to search a specific word in xml file can anyone help me in that ? or just point to me in right direction. Thanks
    • 22 Jun 2021 3:53 AM

  • Query A Specific File Path for Items and Compare File Scoring

    JeramyKopacko
    • Under Review
    • 0 Comments
    ## Use descriptive name “filepath” as variableType “File Path” SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime') AS Last_Accessed, datetime(f...
    • 22 Jun 2021 3:54 AM

  • Query Changes In User Directory

    JeramyKopacko
    • Under Review
    • 0 Comments
    ##Set date as variable date and choose a timestamp: SELECT filename, (size / 1024) AS Kb, path, datetime(mtime,'unixepoch','localtime') Modifiedtime FROM file WHERE (Modifiedtime > $$date$$ AND filename != '.') AND (path LIKE 'C:\Users...
    • 22 Jun 2021 3:51 AM

  • Search subfolders for a specific filename or extension.

    Genc Kelmendi
    • Under Review
    • 0 Comments
    Useful query to search entire subfolders for a specific extension or a filename. Supports wildcards in path and filename. SELECT path, directory, filename, device, size FROM file WHERE directory LIKE 'C:\users\%\desktop%%' AND filename LIKE '%%.exe...
    • 22 Jun 2021 3:49 AM

  • Excluding Hashes from various scans

    Gerald Szakal1
    • Under Review
    • 3 Comments
    Hello all I am running a number of scans including but not limited to "Unsigned applications that were run" which I believe I got from this site. I find the results to be extremely "busy" with so many pages it is almost unusable (155). I am looking...
    • 22 Jun 2021 3:48 AM

  • How can I adjust this query so that it uses a list of items instead of just one file?

    Brian Dake
    • Under Review
    • 2 Comments
    I assume that searching for a list of files at once would be faster than searching for each file individually. So, how can I adjust this query so that it uses a list of items instead of just one file? --- Descriptive name Variable type SQL Variable...
    • 22 Jun 2021 3:47 AM

  • File information for file deleted by Sophos A/V

    Jeremy Lloyd1
    • Under Review
    • 6 Comments
    Hi I cannot find a table which lists files that have been deleted by the A/V scan due to detected malware. I'm trying to find the file's date time stamp and file size. I've tried the sophos_file_journal table but it doesn't include the files that...
    • 22 Jun 2021 3:17 AM

  • query required : Change in software state (Version) between two dates

    ravi kris
    • Under Review
    • 1 Comment
    Hi Team, Do you have query to keep the state or version changes of all the softwire installed between 2 dates. lets say, i have current chrome installed on 17/11/20 as x.x.x.x and on 18/ 11/20 it changed to x.x.x.y. So if query the version...
    • 22 Jun 2021 3:14 AM

  • Stories from the Front Line - Finding files modified by ransomware

    Karl_Ackerman
    • Under Review
    • 0 Comments
    REVIEWED by Sophos The Sophos Incident Response team is often very busy, today I checked in on some of their current efforts to help accounts respond to active breaches and lent a hand with a query. An account had ransomware hit some unprotected devices...
    • 22 Jun 2021 3:45 AM

  • Live Discover Query + Response in combination for file source investigation

    jak
    • Under Review
    • 1 Comment
    REVIEWED by Sophos I'm not aware that the current version of Live Query at least on Windows can obtain the equivalent of extended attributes of a file. That said, if you see a file you would like some more information on, i.e. the download source of...
    • 22 Jun 2021 2:57 AM

  • Live Discover Query: Common productivity files (documents/pictures) that were deleted or modified in the last 24 hours

    Karl_Ackerman
    • Under Review
    • 1 Comment
    REVIEWED by Sophos This query generates a list of the file delete and modifiications by process and user for the last 24 hours. It can take some time to run but does what it says. /*************************************************** divided 24 hours...
    • 22 Jun 2021 3:41 AM

  • Live Discover Query - Ransom note discovery?

    jak
    • Under Review
    • 6 Comments
    REVIEWED by Sophos I'm not sure if this would work, or even how much merit there is in trying but here goes anyway. Ransomware, to the best of my limited knowledge, tends to add some sort of instruction file to an obvious location such as the user...
    • 22 Jun 2021 2:52 AM

  • Advanced Query - Get ALL filesystem activity for 1 min from an hour ago

    Karl_Ackerman
    • Under Review
    • 0 Comments
    REVIEWED by Sophos Here at Sophos we are working on dozens of additional queries and would like your input. If you have a query you would like to see created or you have one you've been working on and want input from the community please just ask...
    • 22 Jun 2021 2:43 AM
Unfiltered HTML