Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Query IPS (snort) Rules on Endpoint

    JeramyKopacko
    • Approved on
    • 0 Comments
    Many thanks to Karl_Ackerman for the assist on completing this query. It may be valuable to discover what rule sets are currently deployed to your snort (IPS) engine. WITH ips_rule_table AS (SELECT * FROM grep WHERE path = 'C:\ProgramData\Sophos\Sophos...

  • Custom curl query?

    Andrew Bishop
    • Under Review on
    • 8 Comments
    Does anyone know of or have a custom live discover query that can identify any processes, programs running cURL? I am seeing something to help identify the vulnerability located in CVE-2023-38545. Description The version of curl installed on the remote...

  • Query Deployed Integrations

    Qoosh
    • Approved on
    • 0 Comments
    This query will list all deployed MDR Integrations. SELECT sensor_type Integration_Category, sensor_vendor Vendor, COUNT(*) Records, CAST(CAST(SUM(upload_size)/1024.0 AS DECIMAL(10,2)) AS VARCHAR)||'KB' Data_uploaded, CAST(DATE_DIFF('hour...
Unfiltered HTML