Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Search subfolders for a specific filename or extension.

    • Approved on
    • 1 Comment
    Useful query to search entire subfolders for a specific extension or a filename. Supports wildcards in path and filename. SELECT path, directory, filename, device, size FROM file WHERE directory LIKE 'C:\users\%\desktop%%' AND filename LIKE '%%.exe...
  • Stories from the Front Line - Finding files modified by ransomware

    • Approved on
    • 0 Comments
    REVIEWED by Sophos The Sophos Incident Response team is often very busy, today I checked in on some of their current efforts to help accounts respond to active breaches and lent a hand with a query. An account had ransomware hit some unprotected devices...
  • Query A Specific File Path for Items and Compare File Scoring

    • Approved on
    • 0 Comments
    ## Use descriptive name “filepath” as variableType “File Path” SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime') AS Last_Accessed, datetime(f...
  • Live Discover Query: Common productivity files (documents/pictures) that were deleted or modified in the last 24 hours

    • Approved on
    • 3 Comments
    REVIEWED by Sophos This query generates a list of the file delete and modifiications by process and user for the last 24 hours. It can take some time to run but does what it says. /*************************************************** divided 24 hours...
  • Advanced Query - Get ALL filesystem activity for 1 min from an hour ago

    • Approved on
    • 0 Comments
    REVIEWED by Sophos Here at Sophos we are working on dozens of additional queries and would like your input. If you have a query you would like to see created or you have one you've been working on and want input from the community please just ask...
  • File information for file deleted by Sophos A/V

    • Approved on
    • 6 Comments
    Hi I cannot find a table which lists files that have been deleted by the A/V scan due to detected malware. I'm trying to find the file's date time stamp and file size. I've tried the sophos_file_journal table but it doesn't include the files that...
  • EDR Query to list deleted files in a directory

    • Approved on
    • 0 Comments
    Description We've been asked a few times if its possible to write a quick query to list files deleted in a particular directory. This query below is a modification of the existing File Access History Query to just show deleted files for a specified...
  • Retrieve Folder Size

    • Approved on
    • 1 Comment
    I know you can get data back from files but is there a way to modify the OSQuery to get folder or directory information. Wanter to get Desktop and Document size. and convert if possible to MB.
  • Find only new created files by extension

    • Under Review on
    • 1 Comment
    Hi, I did a copy of the default live query: File access history I'm only interested in new files that have been created in that timeframe. The demand is a bit like the default " New applications deployed " query. But not only for applications. ...
  • List Office Macro documents touched on a client computer (from Data Lake)

    • Under Review on
    • 4 Comments
    Hi, this Data Lake query finds all Office Documents by file name in a given time frame and on specific host or all hosts (wildcard) and only those, that have not been touched by a specific process (e.g. dropbox.exe) Unfortunately it does not find...
  • Excluding Hashes from various scans

    • Approved on
    • 3 Comments
    Hello all I am running a number of scans including but not limited to "Unsigned applications that were run" which I believe I got from this site. I find the results to be extremely "busy" with so many pages it is almost unusable (155). I am looking...
  • Live Discover Query - Ransom note discovery?

    • Approved on
    • 6 Comments
    REVIEWED by Sophos I'm not sure if this would work, or even how much merit there is in trying but here goes anyway. Ransomware, to the best of my limited knowledge, tends to add some sort of instruction file to an obvious location such as the user...
  • How can I adjust this query so that it uses a list of items instead of just one file?

    • Approved on
    • 2 Comments
    I assume that searching for a list of files at once would be faster than searching for each file individually. So, how can I adjust this query so that it uses a list of items instead of just one file? --- Descriptive name Variable type SQL Variable...