Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Query IPS (snort) Rules on Endpoint

    • Approved on
    Many thanks to Karl_Ackerman for the assist on completing this query. It may be valuable to discover what rule sets are currently deployed to your snort (IPS) engine. WITH ips_rule_table AS (SELECT * FROM grep WHERE path = 'C:\ProgramData\Sophos\Sophos...
  • Custom curl query?

    • Under Review on
    Does anyone know of or have a custom live discover query that can identify any processes, programs running cURL? I am seeing something to help identify the vulnerability located in CVE-2023-38545. Description The version of curl installed on the remote...
  • Query Deployed Integrations

    • Approved on
    This query will list all deployed MDR Integrations. SELECT sensor_type Integration_Category, sensor_vendor Vendor, COUNT(*) Records, CAST(CAST(SUM(upload_size)/1024.0 AS DECIMAL(10,2)) AS VARCHAR)||'KB' Data_uploaded, CAST(DATE_DIFF('hour...