Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • XDR Query - Get OS Buildnumber with Patchlevel

    • Under Review on
    • 3 Comments
    Hello Community, is it possible to get the full os build number inclusive patchlevel (windows) with a XDR Query or other way? There is a query named "Hardware and operating system details" but with this query i only get the os_version and build, for...
  • NDR detection

    • Under Review on
    • 1 Comment
    Hi I installed NDR appliance in my network, and I'm getting this messages: NDR-DET-DDE-MACIPHOSTNAMECORRELATION "Source MAC address, IP address, and Hostname correlation based on MDNS and NetBIOS" The detection in low severity. Any idea...
  • Integration Status

    • Approved on
    • 0 Comments
    Identify the Integration that have information in the data lake, how much data they have sent and when they last sent data. NOTE: If no data has been sent to the data lake then the integration is not listed -- Display Integration status -- NOTE if...
  • AWS Security Hub - Explore detections

    • Approved on
    • 0 Comments
    The query below requires you to have setup the AWS Security Hub Connector. See https://community.sophos.com/mdr-community-channel/mtr-connector-eap/b/announcements/posts/enabling-asw-security-hub-guard-duty-in-mdr for instructions. SQL -- VARIABLE...
  • MS Graph detections by Day and Severity

    • Under Review on
    • 0 Comments
    list the number of MS Graph alerts by Day and Severity -- MS Graph trends by day WITH List AS ( SELECT substring(CAST(event_date_time AS VARCHAR),1,10) Day, Severity, COUNT(event_date_time) Severity_Events, CASE severity WHEN 'HIGH' THEN 3...
  • NDR: NDR Report - idsSrcIps Blacklist, botnets, and more

    • Under Review on
    • 0 Comments
    This query evaluates the NDR detection and report data to identify interesting detections that can also be seen from the Detections list page. -- List of communications to ids messages *Exclude ids_msg's that are NULL SELECT DISTINCT COUNT(*) instances...
  • MS Graph - List graph alerts by category

    • Under Review on
    • 1 Comment
    List detections by category with additional information on title, description, severity and count for the selected time period SELECT Category, title, description, severity, -- ARRAY_JOIN(ARRAY_AGG(title ||' :: '|| description),CHR(10)) title_list...
  • MS Graph Security - View detection count by category and severity

    • Under Review on
    • 0 Comments
    This query provides a count of the number of detections per category and severity. -- MS Graph API Alerts -- VARIABLE STRING $$category$$ -- VARIABLE STRING $$severity$$ WITH List AS ( SELECT Category, Severity, title, COUNT(event_date_time...
  • NDR Data exploration

    • Under Review on
    • 0 Comments
    With the Sophos NDR Connector configured and working you will have detections and reports available. How to setup the NDR Connector https://community.sophos.com/mdr-community-channel/mdr-integrations-eap/w/ndr_wiki/127/deployment-and-configuration...
  • MS Graph Security - Explore

    • Under Review on
    • 0 Comments
    This query allows you to view the detection details that have been received from the MS Graph Connector. The primary table we are exploring is mdr_ms_graph_api_data. This query takes two variables allowing to to set a filter by category and severity...
  • AWS Queries - Exploring AWS Data with live discover

    • Under Review on
    • 0 Comments
    Once you have configured the AWS Security hub connector you can add some queries to explore the data. How to enable the AWS Security Hub Connector: https://community.sophos.com/mdr-community-channel/mdr-integrations-eap/b/announcements/posts/enabling...