Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Figure out the original process that triggered a network connection (not swi_fc.exe)

    reg1nleifr
    • Approved on
    • 4 Comments
    Hello, I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input): # $$startTime$$ - Date # $$endTime$$ - Date # $$uri...

  • Query SNTP Logs On A Specific Date

    JeramyKopacko
    • Approved on
    • 0 Comments
    It may be valuable to view the parsed logs from your Sophos Network Threat Protection engine. Here you can see the time stamps, PID, program and URL accessed. --Declare YYYY-MM-DD as a string variable WITH sntp_table AS (SELECT * FROM grep WHERE...

  • Scanning for activity of IPv6 and NetBIOS

    Christopher Danby
    • Under Review on
    • 1 Comment
    Hi, I am looking for a way to have a query to detect all activity of NetBIOS and IPv6. These two ports need to be disabled on all network devices so I am looking for a query I can run on a monthly basis to confirm these ports are disabled. From...

  • [Sophos Firewall / Data Lake] Identify Attempts to Access Firewall by Country

    Matthew Ritchie
    • Under Review on
    • 1 Comment
    SELECT device_model, --device_serial_id, --app_name AS ProtoPort, --in_interface,-- --src_mac,-- src_ip, dst_ip, src_country, log_type AS Source_Log, log_subtype AS Decision, src_port, dst_port --protocol-- FROM xgfw_data ...

  • Find traffic for destination port

    j0hnV
    • Approved on
    • 1 Comment
    Variables DestinationPort and DaysToLookBack SELECT strftime('%Y-%m-%dT%H:%M:%SZ', datetime(snj.time,'unixepoch')) dateTime, u.username userName, snj.sophosPID, spj.processName processName, CAST(spj.cmdline AS TEXT) cmdLine, snj.source, snj.sourcePort...

  • Detecting a recurring beacon/call-home process

    Karl_Ackerman
    • Approved on
    • 0 Comments
    REVIEWED by Sophos This may not work as it is trying to do a fair bit of number crunching and if the device has had a large number of network connections we will run into the watchdog process. As it stands this may take a few minutes to complete, during...

  • Outbound SMB Traffic

    Albert Straniti
    • Approved on
    • 1 Comment
    I am trying to determine what process is generating outbound SMB traffic on a system. I can see the traffic in the firewall logs, but when I use the query below, nothing comes up. It doesn't matter which system I check, or whether I use port 137 or 445...

  • Live Discovery - Need help to get current IP address

    Diego Tavolari
    • Approved on
    • 5 Comments
    Hi, need some help on creating a query that will show me the current IP address the machine is connecting from. Is there any nice easy way of doing this? I've tried with: interface_addresses.address Network_IP, But that returns the IP for all existing...

  • Live Discover Query - MAC address list

    AndyM
    • Approved on
    • 1 Comment
    REVIEWED by Sophos A simple one for listing the interfaces of devices and their MAC addresses. Potentially handy if you need to check DHCP logs, firewall logs, or update your WIFI MAC filtering list. SELECT description "Desc", mac "MAC" FROM interface_details...
Unfiltered HTML