Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Switch
Sophos Mobile
Sophos Wireless
Sophos Email
UTM Firewall
Community Chat
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Visit docs.sophos.com
Support Portal
Sophos.com
More
Cancel
Intercept X Endpoint
Query Tips
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Load a local CSV file or Remote CSV File as a virtual table
Karl_Ackerman
Under Review on
6 May 2021
0 Comments
You can supply a file path or URL location where a CSV File is located and it will load it into a virtual table for use with the query. Watch the Video then play with the query. https://vimeo.com/545619419 -- LOAD CSV from GIT LOCATION -- VARIABLE...
6 May 2021 2:05 AM
Why this query doesn't work?
Genc Kelmendi
Under Review on
29 Dec 2020
2 Comments
What's wrong with this query? Why it doesn't work? I know for a fact that there are files named "VIRUS.exe", and yet live discovery doesn't return any results. SELECT path, directory, filename, device, size FROM file WHERE path LIKE '%VIRUS.exe%' ...
29 Dec 2020 11:03 AM
Live Discover Query + Response in combination for file source investigation
jak
Approved on
18 May 2022
1 Comment
REVIEWED by Sophos I'm not aware that the current version of Live Query at least on Windows can obtain the equivalent of extended attributes of a file. That said, if you see a file you would like some more information on, i.e. the download source of...
9 May 2020 9:41 PM
Live Discovery Query: How to bulk process a CSV List of SHA256 data
Karl_Ackerman
Under Review on
27 May 2020
4 Comments
REVIEWED by Sophos When hunting for indicators of compromise it is not uncommon to find a list of things you should be checking. In the example below I will show how to use variables to select some csv data that is under 5KB in size and then convert...
27 May 2020 12:07 PM
Live Discover tip - how to select time limits in a human readable format - use STRFTIME
AK
Under Review on
17 Apr 2020
1 Comment
REVIEWED by Sophos I've been dumping some tables recently to see what kind of data is in them, and noticed that many of the default queries limit the results to the last 15 minutes of data if a time constraint is not specified (and fair enough, given...
17 Apr 2020 6:42 PM