Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Live Response: Controlling Windows Firewall Using Netsh

    JeramyKopacko
    • Under Review
    • 0 Comments
    Imagine a scenario where you discover vulnerable ports or need to temporarily block an application, port, or other. Many environments will leverage GPOs to set their profiles and exceptions. On the fly, we can make changes in real-time to protect the...
    • 1 Sep 2021 11:18 PM

  • Live Response: Temperature of a machine

    j0hnV
    • Under Review
    • 2 Comments
    REVIEWED by Sophos In Celsius -------------------------------------- function Get-Temperature { $t = Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi" $returntemp = @() foreach ($temp in $t.CurrentTemperature) { $currentTempKelvin...
    • 22 Jun 2021 3:45 AM

  • Live Response read text files; change configuration files etc.

    Giu
    • Under Review
    • 2 Comments
    Hello 99% of my time I use the GUI; so when it comes to use the CMD prompt I feel a little uncomfortable I am trying to use live response; in the kb and other documentation it is stated that with Live Response on windows you can: Reboot a device...
    • 22 Jun 2021 3:45 AM

  • Live Response - Capturing network traffic

    jak
    • Under Review
    • 1 Comment
    REVIEWED by Sophos Given the ability to utilize Live Query, specifically the tables 'sophos_http_journal', 'sophos_ip_journal', 'sophos_url_journal', etc. I can see how it might be interesting to conduct a packet trace via Live Response. When people...
    • 22 Jun 2021 2:58 AM

  • Live Response - Investigating other devices

    jak
    • Under Review
    • 0 Comments
    Given the scenario where you have a number of computers at a site and in the same subnet, it may be possible to perform some remote diagnostics. Some example PowerShell commands are included below that could be used as-is or modified as needed. Finding...
    • 22 Jun 2021 2:56 AM

  • Live Response - Making use of Sysinternals tools

    jak
    • Under Review
    • 0 Comments
    Given how useful the Sysinternals suite of tools is, it's probably worth a quick post to show how these can be obtained and used via Live Response to save disrupting an end user. Thankfully Sysinternals exposes the tools at the following location:...
    • 22 Jun 2021 2:55 AM

  • Live Response - Command audit

    jak
    • Under Review
    • 0 Comments
    At the current time you can specify a reason for the connection but once connected it maybe helpful to document a list of commands run. From the default command prompt to print a list of previous commands for the session you can run: doskey /history...
    • 22 Jun 2021 3:39 AM

  • Live Response - Performance Check

    jak
    • Under Review
    • 1 Comment
    One of the most common problems users report is performance. These might be, the vague: "It just seems generally slow", or "when I do X it takes forever". Well from the command line and through the magic that is Live Response, you can now answer these...
    • 22 Jun 2021 3:39 AM

  • Live Response - Suspicious Process - Create a dump for offline analysis

    jak
    • Approved
    • 1 Comment
    REVIEWED by Sophos Imagine the scenario - you see what looks to be a suspicious process on an endpoint, maybe you've used Live Query to list modules but you need to dig a little deeper. Well, how about the following workflow: Initiate a Live...
    • 22 Jun 2021 3:39 AM

  • Live Response - Using command line tools to check files

    jak
    • Under Review
    • 0 Comments
    There are a number of tools installed on the endpoint for evaluating files. For example: SAV32CLI.exe Sav32cli which is part of the Sophos Anti-Virus component. If you wished to scan a folder or file, from the command line you could run: sav32cli...
    • 22 Jun 2021 2:52 AM

  • Live Response - Viewing the raw JSON Sophos Health trail files

    jak
    • Under Review
    • 0 Comments
    I can imagine a case where it might be helpful to process the raw trail files of Sophos Health found under: %ProgramData%\Sophos\Health\Event Store\Trail\ Note : It is possible to also get this information from Live Discover using the "sophos_events_summary...
    • 22 Jun 2021 2:52 AM

  • Live Response - Don't forget Tamper Protection

    jak
    • Under Review
    • 1 Comment
    When performing a Live Response session, with a view to troubleshoot Sophos components, it may be worthwhile confirming if Tamper Protection (Endpoint Defense) is disabled. To do so you can run: "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe...
    • 22 Jun 2021 2:52 AM

  • Live Response - Force an update from the command line and checking status

    jak
    • Under Review
    • 0 Comments
    Given that Live Response is now live! This might be a useful command to initiate an "update now" from the command line: powershell -command $(New-Object -comObject "ActiveLinkClient.ClientUpdate.1").UpdateNow(1,1) You can monitor the progress by...
    • 22 Jun 2021 3:33 AM
Unfiltered HTML