Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
If Sophos pre-defined queries aren't working, Sophos Support can help to ensure that data is uploaded from your devices to the Sophos Data Lake. Visit the support portal
For custom query assistance, please see Getting LD&R Community Support or contact Sophos Professional Services.
For more information on Live Discover, please check out our Product Documentation

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Live Response: Return WindowsOS assets set NIC Gateway IP

    Troden
    • Live Response
    • Under Review on
    • 1 Comment
    G'Day Community, Does anyone know how I could run a live response query that can return the machine's Gateway IP on its configured NICs? I've run all the related network queries: Network Interface details, Network Interfaces, and Network Interface...

  • Failed to found file with XDR Query

    Dymar Support
    • Files
    • Under Review on
    • 3 Comments
    Hi All I have tried this query on my sophos dashboard. However, there is no result but the files with zepto extension are existing in the below mentioned folder. SELECT filename,path,directory FROM file WHERE directory like 'D:\OKI 2 CMEIAH\MMP...

  • XDR LiveDiscover. Query for NTLM authentication.

    LMSIIATO
    • Data Lake
    • Under Review on
    • 0 Comments
    Hello everyone, in my domain I would like to disable NTLM authentication. Before disabling it completely, I wanted to do an audit to see if any applications or servers were still using it. It would be nice to be able to make an OsQuery from livediscover...

  • Data Lake Query missing query_name = system_info from xdr_table

    BostjanR
    • Data Lake
    • Under Review on
    • 0 Comments
    Hello, is there any option to add system_info endpoint query (and data) to Sophos data lake? Is there any valid reason that this info is not included by default by Sophos XDR? Is there any option to schedule this query on endpoints so that we can...

  • Checking open ports on servers

    Reem Jalal Eddine
    • Network
    • Under Review on
    • 1 Comment
    Hi, I am wondering is there any way we can view what ports are open on each server, I mean not through firewall rules.

  • [LiveDiscoverHelp] Memory_info table on os_query schema is missing for Windows while for Linux its available.

    YenzLS
    • Query Tips
    • Complete on
    • 1 Comment
    We have a script that will display system memory and load but is only available for Linux devices. Pre canned script = "System memory and load" Is there a script for windows devices that will display system memory and load? If so can you please provide...

  • Add support for BypassIO in Windows storage filter driver

    Playa
    • Compliance
    • Under Review on
    • 0 Comments
    Hello, I hope i dont miss a thread already discussing this topic. Starting with Windows 10 1909 we have the ability to use DirectStorage, besides hardware requirements the software also needs to be capable of this. The storage filter driver of Sophos...

  • cURL vulnerability - CVE-2023-38545

    Qoosh
    • Threat Hunting
    • Approved on
    • 0 Comments
    This is a live discover query. with file_list as ( select spj.cmd_line, sfj.path, sfj.file from sophos_file_journal as sfj join sophos_process_journal as spj on spj.sophos_pid = sfj.sophos_pid where sfj.subject = "FileBinaryReads" and sfj.event_type...

  • Intercept X Advanced, Server Event Logs

    AStaUK
    • Events
    • Under Review on
    • 3 Comments
    I'm just getting started with Intercept X and when I was being demoed the product I'm sure one of the features I was shown was the ability to store the Windows Event Logs in the cloud. But so far I've not been able to achieve this or find any documentation...

  • Controlled Folder Access

    TeodoloFamilgan
    • Anomalies
    • Complete on
    • 1 Comment
    Hi, I would like to feature request this "controlled folder access" from Windows Defender to our Sophos Endpoint security for an additional layer of security. Thanks, Ted
Unfiltered HTML