Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • [LiveDiscoverHelp] IP address activity

    • Under Review
    • 3 Comments
    Hi there! I would like to run the default IP address activity query in live discover. Unfortunately I do not get any data older then 2 Weeks from my endpoint. Everything within the last 2 weeks I get the information. I tried IP addresses I visit every...
    • 9 Nov 2021 1:35 PM
  • Port scan detection using Sophos Firewall data in the Data Lake

    • Under Review
    • 2 Comments
    In this query I correlate 'Appliace Access' log entries logged by the Sophos Firewall to see if someone ran a port scan against my IP address / appliance. -- VARIABLE $$Ports_Seen_Threshold$$ String -- Ignoring log entries with src_port 53 (DNS) due...
    • 12 Aug 2021 9:06 AM
  • Figure out the original process that triggered a network connection (not swi_fc.exe)

    • Under Review
    • 4 Comments
    Hello, I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input): SELECT strftime('%Y-%m-%dT%H:%M:%SZ', datetime(ip...
    • 9 Aug 2021 8:53 PM
  • Query SNTP Logs On A Specific Date

    • Under Review
    • 0 Comments
    It may be valuable to view the parsed logs from your Sophos Network Threat Protection engine. ##Declare YYYY-MM-DD as a string variable WITH sntp_table AS (SELECT * FROM grep WHERE path = 'C:\ProgramData\Sophos\Sophos Network Threat Protection...
    • 6 Jun 2021 5:46 AM
  • Find traffic for destination port

    • Under Review
    • 1 Comment
    Variables DestinationPort and DaysToLookBack SELECT strftime('%Y-%m-%dT%H:%M:%SZ', datetime(snj.time,'unixepoch')) dateTime, u.username userName, snj.sophosPID, spj.processName processName, CAST(spj.cmdline AS TEXT) cmdLine, snj.source, snj.sourcePort...
    • 22 Jun 2021 3:51 AM
  • Live Discovery - Need help to get current IP address

    • Under Review
    • 5 Comments
    Hi, need some help on creating a query that will show me the current IP address the machine is connecting from. Is there any nice easy way of doing this? I've tried with: interface_addresses.address Network_IP, But that returns the IP for all existing...
    • 22 Jun 2021 3:50 AM
  • Detecting a recurring beacon/call-home process

    • Under Review
    • 0 Comments
    REVIEWED by Sophos This may not work as it is trying to do a fair bit of number crunching and if the device has had a large number of network connections we will run into the watchdog process. As it stands this may take a few minutes to complete, during...
    • 22 Jun 2021 3:10 AM
  • Live Discover Query - MAC address list

    • Under Review
    • 1 Comment
    REVIEWED by Sophos A simple one for listing the interfaces of devices and their MAC addresses. Potentially handy if you need to check DHCP logs, firewall logs, or update your WIFI MAC filtering list. SELECT description "Desc", mac "MAC" FROM interface_details...
    • 23 Jun 2021 4:12 AM