Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Load a local CSV file or Remote CSV File as a virtual table

    • Under Review on
    You can supply a file path or URL location where a CSV File is located and it will load it into a virtual table for use with the query. Watch the Video then play with the query. https://vimeo.com/545619419 -- LOAD CSV from GIT LOCATION -- VARIABLE...
  • Why this query doesn't work?

    • Under Review on
    What's wrong with this query? Why it doesn't work? I know for a fact that there are files named "VIRUS.exe", and yet live discovery doesn't return any results. SELECT path, directory, filename, device, size FROM file WHERE path LIKE '%VIRUS.exe%' ...
  • Live Discover Query + Response in combination for file source investigation

    • Approved on
    • 1 Comment
    REVIEWED by Sophos I'm not aware that the current version of Live Query at least on Windows can obtain the equivalent of extended attributes of a file. That said, if you see a file you would like some more information on, i.e. the download source of...
  • Live Discovery Query: How to bulk process a CSV List of SHA256 data

    • Under Review on
    REVIEWED by Sophos When hunting for indicators of compromise it is not uncommon to find a list of things you should be checking. In the example below I will show how to use variables to select some csv data that is under 5KB in size and then convert...
  • Live Discover tip - how to select time limits in a human readable format - use STRFTIME

    • Under Review on
    • 1 Comment
    REVIEWED by Sophos I've been dumping some tables recently to see what kind of data is in them, and noticed that many of the default queries limit the results to the last 15 minutes of data if a time constraint is not specified (and fair enough, given...