Community & Product Forums
Intercept X Endpoint
Sophos (XG) Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Sophos Partners Group
Intercept X Endpoint
Release Notes & News
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
Sophos EDR Threat Hunting Framework
For more information on Live Discover, please check out our
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Browse Ideas in Category
By highest score
By recent status change
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
[LiveDiscoverHelp] IP address activity
Hi there! I would like to run the default IP address activity query in live discover. Unfortunately I do not get any data older then 2 Weeks from my endpoint. Everything within the last 2 weeks I get the information. I tried IP addresses I visit every...
9 Nov 2021 1:35 PM
Port scan detection using Sophos Firewall data in the Data Lake
In this query I correlate 'Appliace Access' log entries logged by the Sophos Firewall to see if someone ran a port scan against my IP address / appliance. -- VARIABLE $$Ports_Seen_Threshold$$ String -- Ignoring log entries with src_port 53 (DNS) due...
12 Aug 2021 9:06 AM
Figure out the original process that triggered a network connection (not swi_fc.exe)
Hello, I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input): SELECT strftime('%Y-%m-%dT%H:%M:%SZ', datetime(ip...
9 Aug 2021 8:53 PM
Query SNTP Logs On A Specific Date
It may be valuable to view the parsed logs from your Sophos Network Threat Protection engine. ##Declare YYYY-MM-DD as a string variable WITH sntp_table AS (SELECT * FROM grep WHERE path = 'C:\ProgramData\Sophos\Sophos Network Threat Protection...
6 Jun 2021 5:46 AM
Find traffic for destination port
Variables DestinationPort and DaysToLookBack SELECT strftime('%Y-%m-%dT%H:%M:%SZ', datetime(snj.time,'unixepoch')) dateTime, u.username userName, snj.sophosPID, spj.processName processName, CAST(spj.cmdline AS TEXT) cmdLine, snj.source, snj.sourcePort...
22 Jun 2021 3:51 AM
Live Discovery - Need help to get current IP address
Hi, need some help on creating a query that will show me the current IP address the machine is connecting from. Is there any nice easy way of doing this? I've tried with: interface_addresses.address Network_IP, But that returns the IP for all existing...
22 Jun 2021 3:50 AM
Detecting a recurring beacon/call-home process
REVIEWED by Sophos This may not work as it is trying to do a fair bit of number crunching and if the device has had a large number of network connections we will run into the watchdog process. As it stands this may take a few minutes to complete, during...
22 Jun 2021 3:10 AM
Live Discover Query - MAC address list
REVIEWED by Sophos A simple one for listing the interfaces of devices and their MAC addresses. Potentially handy if you need to check DHCP logs, firewall logs, or update your WIFI MAC filtering list. SELECT description "Desc", mac "MAC" FROM interface_details...
23 Jun 2021 4:12 AM