Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Live Discover Query - Artifacts of infection - Registry and other strings

    • Approved on
    • 1 Comment
    REVIEWED by Sophos Given that malicious software is designed to evade detection and thwart the ability to remediate; there are plenty of registry keys that could provide some insight into prior infections or ongoing ones. I mention prior infections...
  • Determine is device(s) are in EAP

    • Under Review on
    • 1 Comment
    When a device is enrolled in Early Access, many of the Sophos service tags for registry keys go from RECOMMENDED to BETA. Upon reviewing the results of this query, if any devices return with "data" : "BETA" - those devices are in the early access program...
  • Live Discover Query - IFEO (someone had to mention it)

    • Approved on
    • 1 Comment
    REVIEWED by Sophos No list of queries would be complete without at least one which focused on the "Image File Execution Options" or IFEO keys. In short, the IEFO key can be used to alter the behaviour of a given process at start-up. It is primarily...