Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Sophos Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
More
Cancel
Sophos Endpoint
Registry
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Sophos Endpoint requires membership for participation - click to join
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Live Discover Query - Artifacts of infection - Registry and other strings
jak
Approved on
29 Nov 2021
1 Comment
REVIEWED by Sophos Given that malicious software is designed to evade detection and thwart the ability to remediate; there are plenty of registry keys that could provide some insight into prior infections or ongoing ones. I mention prior infections...
28 Apr 2020 8:08 PM
Determine is device(s) are in EAP
SpencerBrown
Under Review on
11 Mar 2022
1 Comment
When a device is enrolled in Early Access, many of the Sophos service tags for registry keys go from RECOMMENDED to BETA. Upon reviewing the results of this query, if any devices return with "data" : "BETA" - those devices are in the early access program...
11 Mar 2022 8:30 PM
Live Discover Query - IFEO (someone had to mention it)
jak
Approved on
29 Nov 2021
1 Comment
REVIEWED by Sophos No list of queries would be complete without at least one which focused on the "Image File Execution Options" or IFEO keys. In short, the IEFO key can be used to alter the behaviour of a given process at start-up. It is primarily...
3 May 2020 10:33 AM