Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Live Discover Query - IFEO (someone had to mention it)

    • Approved
    • 1 Comment
    REVIEWED by Sophos No list of queries would be complete without at least one which focused on the "Image File Execution Options" or IFEO keys. In short, the IEFO key can be used to alter the behaviour of a given process at start-up. It is primarily...
    • 22 Jun 2021 2:54 AM
  • Live Discover Query - Artifacts of infection - Registry and other strings

    • Approved
    • 1 Comment
    REVIEWED by Sophos Given that malicious software is designed to evade detection and thwart the ability to remediate; there are plenty of registry keys that could provide some insight into prior infections or ongoing ones. I mention prior infections...
    • 22 Jun 2021 3:34 AM