Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Sophos Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
More
Cancel
Sophos Endpoint
Network
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Sophos Endpoint requires membership for participation - click to join
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Figure out the original process that triggered a network connection (not swi_fc.exe)
reg1nleifr
Approved on
18 May 2022
4 Comments
Hello, I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input): # $$startTime$$ - Date # $$endTime$$ - Date # $$uri...
2 Aug 2021 1:03 PM
Query SNTP Logs On A Specific Date
JeramyKopacko
Approved on
19 May 2022
0 Comments
It may be valuable to view the parsed logs from your Sophos Network Threat Protection engine. Here you can see the time stamps, PID, program and URL accessed. --Declare YYYY-MM-DD as a string variable WITH sntp_table AS (SELECT * FROM grep WHERE...
26 May 2021 6:17 PM
Scanning for activity of IPv6 and NetBIOS
Christopher Danby
Under Review on
9 May 2022
1 Comment
Hi, I am looking for a way to have a query to detect all activity of NetBIOS and IPv6. These two ports need to be disabled on all network devices so I am looking for a query I can run on a monthly basis to confirm these ports are disabled. From...
9 May 2022 1:57 PM
[Sophos Firewall / Data Lake] Identify Attempts to Access Firewall by Country
Matthew Ritchie
Under Review on
18 Oct 2022
1 Comment
SELECT device_model, --device_serial_id, --app_name AS ProtoPort, --in_interface,-- --src_mac,-- src_ip, dst_ip, src_country, log_type AS Source_Log, log_subtype AS Decision, src_port, dst_port --protocol-- FROM xgfw_data ...
18 Oct 2022 7:47 PM
Find traffic for destination port
j0hnV
Approved on
18 May 2022
1 Comment
Variables DestinationPort and DaysToLookBack SELECT strftime('%Y-%m-%dT%H:%M:%SZ', datetime(snj.time,'unixepoch')) dateTime, u.username userName, snj.sophosPID, spj.processName processName, CAST(spj.cmdline AS TEXT) cmdLine, snj.source, snj.sourcePort...
5 May 2021 4:36 PM
Detecting a recurring beacon/call-home process
Karl_Ackerman
Approved on
18 May 2022
0 Comments
REVIEWED by Sophos This may not work as it is trying to do a fair bit of number crunching and if the device has had a large number of network connections we will run into the watchdog process. As it stands this may take a few minutes to complete, during...
13 Aug 2020 3:32 AM
Outbound SMB Traffic
Albert Straniti
Approved on
18 May 2022
1 Comment
I am trying to determine what process is generating outbound SMB traffic on a system. I can see the traffic in the firewall logs, but when I use the query below, nothing comes up. It doesn't matter which system I check, or whether I use port 137 or 445...
28 Apr 2022 5:08 PM
Live Discovery - Need help to get current IP address
Diego Tavolari
Approved on
18 May 2022
5 Comments
Hi, need some help on creating a query that will show me the current IP address the machine is connecting from. Is there any nice easy way of doing this? I've tried with: interface_addresses.address Network_IP, But that returns the IP for all existing...
26 Apr 2021 1:02 PM
Live Discover Query - MAC address list
AndyM
Approved on
18 May 2022
1 Comment
REVIEWED by Sophos A simple one for listing the interfaces of devices and their MAC addresses. Potentially handy if you need to check DHCP logs, firewall logs, or update your WIFI MAC filtering list. SELECT description "Desc", mac "MAC" FROM interface_details...
18 Jun 2020 4:37 PM