Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Generic Process Search on Windows

    • Under Review
    • 0 Comments
    Hi folks, Sophos already published a canned query for 'Search for processes (Windows)', and while that one is really useful I had some asks for a different approach that allowed for larger time windows in the search and some different parameters. ...
    • 22 Jun 2021 3:46 AM
  • Threat Hunting - Powershell Script Blocks

    • Under Review
    • 0 Comments
    With the Sophos process journals you can see loads of information about the execution of processes as well as their command lines, but you cannot see the session data used directly in powershell, since it is running within the same process. Thankfully...
    • 22 Jun 2021 3:15 AM
  • Process that writes on Shadow Copy space

    • Under Review
    • 2 Comments
    Any idea for creating a query in order to extract a list of processes that write on Shadow copy space during a specified interval of time? Thank you
    • 22 Jun 2021 3:29 AM
  • Process HTTP Calls

    • Under Review
    • 1 Comment
    In testing out Caldera recently, the sandcat tool brings up a good point of interest in identifying where GET calls are being made. SELECT sophos_http_journal.PID, sophos_http_journal.PID, datetime(sophos_http_journal.time,'unixepoch','localtime')...
    • 22 Jun 2021 3:28 AM
  • Decode encoded powershell

    • Approved
    • 2 Comments
    With the common use of powershell by cobalt strike and every other threat actor, I though it would be nice to have a query that detects and decodes encoded powershell commands. The first query will simply decode base 64 encoded data (As you would see...
    • 22 Jun 2021 3:13 AM
  • Query - Are any Sophos services not running?

    • Under Review
    • 3 Comments
    REVIEWED by Sophos Sometimes adversaries are able to stop Sophos services, or the endpoint has had an install or update issue. As long as the live discover services are up an running you can find devices that do not have all the needed Sophos services...
    • 22 Jun 2021 3:08 AM
  • Live Discover - PowerShell command audit

    • Under Review
    • 0 Comments
    REVIEWED by Sophos Hello Threat Hunters! I mentioned in this post: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/120201/live-response---command-audit/ how you could audit the history of PowerShell...
    • 22 Jun 2021 3:44 AM
  • Live Discover - Lateral movement detection

    • Approved
    • 2 Comments
    REVIEWED by Sophos With Live discover I wanted to explore if I can write a query to detect lateral movement between devices that are under management. Because Live Discover queries are run on individual devices we can not easily build a query that...
    • 22 Jun 2021 3:02 AM
  • Live Discover Query - Living off the land BITS

    • Under Review
    • 1 Comment
    REVIEWED by Sophos There are many libraries one can use for making web calls, be it PowerShell, WinHTTP, XML but one of the more stealthy technologies is Background Intelligent Transfer Service (BITS). Information is available here as a starting point...
    • 22 Jun 2021 3:01 AM
  • Live Discover Query: ALL system activity for N seconds from a date/time

    • Under Review
    • 2 Comments
    REVIEWED by Sophos This query will show ALL system activity that was recorded from a time period. Given the volume of data that can be returned we recommend only pulling a few seconds of information at a time and then using that to narrow down on...
    • 22 Jun 2021 3:00 AM
  • Live Discovery Query - SophosPID process activity digest

    • Under Review
    • 0 Comments
    REVIEWED by Sophos We have added a new table to the sophos forensics journals. The sophos_process_activity table. Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick...
    • 22 Jun 2021 3:43 AM
  • Live Discovery Query - Netsh - is something or someone allowing access?

    • Under Review
    • 1 Comment
    REVIEWED by Sophos I can imagine the scenario where malware has executed and maybe looks to set up a communication channel. In order to allow itself through the Windows firewall, it may well add an incoming rule using the command line tool netsh. It...
    • 22 Jun 2021 3:42 AM
  • LIve Discovery Query: Process tree for a SophosPID

    • Under Review
    • 2 Comments
    REVIEWED by Sophos One of the first things I like to understand when looking at a suspect process is how did it get started and what children processes if any did it create. To do that we need to build a process tree from the sophos process journal...
    • 22 Jun 2021 3:00 AM
  • Live Discover Query - Checking for redirected web traffic to unknown processes

    • Under Review
    • 1 Comment
    REVIEWED by Sophos While looking at the "sophos_ip_journal table", I noticed the interesting field "redirectionState" which could be useful to find traffic that is being covertly redirected to a local proxy before being sent on its way unbeknown to...
    • 22 Jun 2021 3:38 AM
  • Live Discover Query - Sysinternals

    • Under Review
    • 1 Comment
    REVIEWED by Sophos We all know how useful the tools from Sysinternals are. Thanks Mark! Clearly they are so useful that the crooks use them too, in particular, PsExex is a favorite. When these tools are run you have to accept a Eula, this state is...
    • 22 Jun 2021 2:49 AM
  • Live Discover Query - identify devices where services could be an issue

    • Under Review
    • 1 Comment
    REVIEWED by Sophos One possibility is to simply query the "services" table for service status, for example: select s.display_name, s.status from services as s where (s.display_name like 'Sophos%' or s.display_name like 'HitmanPro%') and s.status...
    • 22 Jun 2021 2:46 AM