Sophos Community
Site
User
Site
Search
User
All Groups
Intercept X Endpoint
XG Firewall
UTM Firewall
Sophos Partners
Community Chat
Support Portal
Product Documentation
Community Blogs & Events
Community Calendar
Sophos Community Blog
Community Security Blog
Getting Started
Member Recognition
Community Leaderboards
Sophos Partner Recognition
Technical Support Videos
Product Documentation
Feedback on Product Documentation
Support Portal
Sophos.com
More
Cancel
Intercept X Endpoint
Live Discover & Response Query Forum
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
In any category
Not categorized
In 'Live Discover'
In 'Live Response'
MITRE ATT&CK EXFILTRATION Tactic IOC Detection
Karl_Ackerman
Approved
Live Discover
0 Comments
Here is a query that looks at process and cmdlines to map to IOCs in the Exfiltration tactic for Mitre -- VARIABLE $$Start Search on Date and Time$$ DATE -- VARIABLE $$Total Hours to search$$ STRING -- Process cmdline IOC search, mapped to MITRE...
31 Dec 2020 6:53 PM
EDR Query to find all local admins (Windows)
Jacob Jensen2
Under Review
Live Discover
8 Comments
I am searching for a way to query the local Administrators security group on every device in our environment. This seems like something Live Discover is capable of doing, but I haven't been able to figure out the OSQuery syntax to get it done. Right...
18 Feb 2021 8:19 PM
List software installed between two dates
MichaelCurtis
Under Review
Live Discover
0 Comments
REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...
16 Jul 2020 2:20 PM
Live Discover Query - Artifacts of infection - Registry and other strings
jak
Under Review
Live Discover
1 Comment
REVIEWED by Sophos Given that malicious software is designed to evade detection and thwart the ability to remediate; there are plenty of registry keys that could provide some insight into prior infections or ongoing ones. I mention prior infections...
28 Apr 2020 8:08 PM
Stories from the Front Line - Finding files modified by ransomware
Karl_Ackerman
Under Review
Live Discover
0 Comments
REVIEWED by Sophos The Sophos Incident Response team is often very busy, today I checked in on some of their current efforts to help accounts respond to active breaches and lent a hand with a query. An account had ransomware hit some unprotected devices...
12 Aug 2020 3:09 PM
Process HTTP Calls
RustbeltSE
Under Review
Live Discover
0 Comments
In testing out Caldera recently, the sandcat tool brings up a good point of interest in identifying where GET calls are being made. SELECT sophos_http_journal.PID, sophos_http_journal.PID, datetime(sophos_http_journal.time,'unixepoch','localtime')...
25 Nov 2020 7:46 PM
Live Discovery Query: Identify new admin accounts
Karl Ackerman
Under Review
Live Discover
0 Comments
REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...
10 Jun 2020 1:48 PM
Gather System Information
RustbeltSE
Under Review
Live Discover
0 Comments
This query can be used for general IT. Perhaps a organization is considering new software or to compare serial numbers for warranty. SELECT uuid, hardware_serial, hostname, cpu_subtype, cpu_brand, physical_memory, hardware_vendor, hardware_model FROM...
16 Nov 2020 9:51 PM
MITRE ATT&CK IMPACT Tactic IOC Detection
Karl_Ackerman
Approved
Live Discover
0 Comments
Experimenting with a simple query to detect IOC's based on process/cmdline analysis. This one below maps the MITRE ATT&CK framework for IMPACT. -- VARIABLES -- Start Search on Date and Time Date -- Total Hours to search STRING -- Detect MITRE...
31 Dec 2020 6:53 PM
Query - Are any Sophos services not running?
Karl_Ackerman
Under Review
Live Discover
3 Comments
REVIEWED by Sophos Sometimes adversaries are able to stop Sophos services, or the endpoint has had an install or update issue. As long as the live discover services are up an running you can find devices that do not have all the needed Sophos services...
12 Aug 2020 3:36 PM
<
>