Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Sophos Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
More
Cancel
Sophos Endpoint
Live Response
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Sophos Endpoint requires membership for participation - click to join
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Live Response - Suspicious Process - Create a dump for offline analysis
jak
Approved on
4 Jan 2021
1 Comment
REVIEWED by Sophos Imagine the scenario - you see what looks to be a suspicious process on an endpoint, maybe you've used Live Query to list modules but you need to dig a little deeper. Well, how about the following workflow: Initiate a Live Response...
1 May 2020 11:24 PM
Browser History
Parag Shukla
Under Review on
10 Jan 2023
0 Comments
Hi Team, For the hunting purpose is it possible can we get browser history from the end user's system. If someone knows about related osquesry please share. I was trying with SELECT * FROM chrome_history LIMIT 10 ; but no luck.
10 Jan 2023 1:25 PM
Live Response - Force an update from the command line and checking status
jak
Under Review on
30 Apr 2020
0 Comments
Given that Live Response is now live! This might be a useful command to initiate an "update now" from the command line: powershell -command $(New-Object -comObject "ActiveLinkClient.ClientUpdate.1").UpdateNow(1,1) You can monitor the progress by watching...
30 Apr 2020 4:45 PM
Live Response: Temperature of a machine
j0hnV
Under Review on
6 Aug 2020
2 Comments
REVIEWED by Sophos In Celsius -------------------------------------- function Get-Temperature { $t = Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi" $returntemp = @() foreach ($temp in $t.CurrentTemperature) { $currentTempKelvin...
6 Aug 2020 11:11 AM
Live Response - Investigating other devices
jak
Under Review on
8 May 2020
0 Comments
Given the scenario where you have a number of computers at a site and in the same subnet, it may be possible to perform some remote diagnostics. Some example PowerShell commands are included below that could be used as-is or modified as needed. Finding...
8 May 2020 4:45 PM
Live Response - Don't forget Tamper Protection
jak
Under Review on
30 Apr 2020
1 Comment
When performing a Live Response session, with a view to troubleshoot Sophos components, it may be worthwhile confirming if Tamper Protection (Endpoint Defense) is disabled. To do so you can run: "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe"...
30 Apr 2020 5:21 PM
Live Response - Performance Check
jak
Under Review on
2 May 2020
1 Comment
One of the most common problems users report is performance. These might be, the vague: "It just seems generally slow", or "when I do X it takes forever". Well from the command line and through the magic that is Live Response, you can now answer these...
2 May 2020 9:00 AM
Live Response - Capturing network traffic
jak
Under Review on
14 May 2020
1 Comment
REVIEWED by Sophos Given the ability to utilize Live Query, specifically the tables 'sophos_http_journal', 'sophos_ip_journal', 'sophos_url_journal', etc. I can see how it might be interesting to conduct a packet trace via Live Response. When people...
14 May 2020 11:05 PM
Live Response - Command audit
jak
Under Review on
3 May 2020
0 Comments
At the current time you can specify a reason for the connection but once connected it maybe helpful to document a list of commands run. From the default command prompt to print a list of previous commands for the session you can run: doskey /history...
3 May 2020 9:47 AM
Live Response - Making use of Sysinternals tools
jak
Under Review on
3 May 2020
0 Comments
Given how useful the Sysinternals suite of tools is, it's probably worth a quick post to show how these can be obtained and used via Live Response to save disrupting an end user. Thankfully Sysinternals exposes the tools at the following location: ...
3 May 2020 11:38 AM
Live Response - Viewing the raw JSON Sophos Health trail files
jak
Under Review on
30 Apr 2020
0 Comments
I can imagine a case where it might be helpful to process the raw trail files of Sophos Health found under: %ProgramData%\Sophos\Health\Event Store\Trail\ Note : It is possible to also get this information from Live Discover using the "sophos_events_summary...
30 Apr 2020 8:42 PM
Live Response - Using command line tools to check files
jak
Under Review on
30 Apr 2020
0 Comments
There are a number of tools installed on the endpoint for evaluating files. For example: SAV32CLI.exe Sav32cli which is part of the Sophos Anti-Virus component. If you wished to scan a folder or file, from the command line you could run: sav32cli...
30 Apr 2020 10:02 PM
Live Response: Controlling Windows Firewall Using Netsh
JeramyKopacko
Under Review on
1 Sep 2021
0 Comments
Imagine a scenario where you discover vulnerable ports or need to temporarily block an application, port, or other. Many environments will leverage GPOs to set their profiles and exceptions. On the fly, we can make changes in real-time to protect the...
1 Sep 2021 11:18 PM
Live Response read text files; change configuration files etc.
Giu
Under Review on
19 Jul 2020
2 Comments
Hello 99% of my time I use the GUI; so when it comes to use the CMD prompt I feel a little uncomfortable I am trying to use live response; in the kb and other documentation it is stated that with Live Response on windows you can: Reboot a device that...
19 Jul 2020 2:26 PM