Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • Detecting IOCs from ACSC 2020-008 The Copy-Paste Compromise Notification

    • Under Review on
    • 1 Comment
    REVIEWED by Sophos Hello all The Australian Federal Government recently issued a warning to all Australian's that we're under an increasing number of cyber attacks. Although this served as a general wanring to everyone, the Australia Cyber Security...
  • IOC PrintNightmare CVE-2021-1675

    • Under Review on
    • 4 Comments
    Hello, can somebody help me with creating a query for detecting if the PrintNightmare vulnerability was abused? I want to build a query, which is checking if the folder C:\Windows\System32\spool\drivers\x64\3\old" exists. Greets, Dennis
  • Live Discover Query - Malware persistence

    • Under Review on
    • 2 Comments
    REVIEWED by Sophos Below are a few basic queries for pulling back data from places that malware likes to use for persistence. First up Registry Run keys: SELECT r . path , r . name , r . data , REPLACE ( REPLACE ( REPLACE ( REGEX_SPLIT ( r ....
  • Compare IP activity to Remote List of IOC IP addresses

    • Under Review on
    • 0 Comments
    Utilizing a post from Karl_Ackerman and the precanned queries in Sophos Central, here is a query that can pull down a remote csv table, and join it to the sophos_ip_journal. It takes one variable: URL -- String -- $$URL$$ In this use case, I took...
  • T1078 - CVE-2020-1472 - Netlogon

    • Under Review on
    • 0 Comments
    This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs. This query will search and detect Windows vulnerability affecting the Netlogon feature. Sophos Security Bulletin: https://community.sophos.com...
  • FORCEDENTRY Big Sur 11.6 Version Check

    • Under Review on
    • 0 Comments
    SELECT CASE WHEN version = '11.6' THEN 'Not Vulnerable to FORCEDENTRY' ELSE 'Vulnerable | Upgrade to 11.6' END AS BigSurCheck FROM os_version WHERE major = '11'
  • Rare process trees with a LOLBIN tool

    • Approved on
    • 0 Comments
    With leadless threat hunting where you are simply looking for strange activity in the environment to determine if it is an as yet undiscovered adversary it is often valuable identify things that are RARE or UNIQUE. With the Rare Tree query below we...
  • Live Discover Query - Vulnerability check for ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

    • Approved on
    • 2 Comments
    REVIEWED by Sophos Windows has a zero-day that won’t be patched for weeks Well another day another zero day vulnerability. Today I am looking at how to best create a vulnerability check given information in a CVE and a Microsoft Notification. In...
  • Live Discover Query - SDBot Malware - RAT

    • Under Review on
    • 1 Comment
    REVIEWED by Sophos Here is a specific query identifying SDBot Malware used by the TA505 hacking group: SELECT DISTINCT srj.time AS event_timestamp, srj.keyName, srj.value, srj.eventType, srj.sophosPID, srj.valueName, 'REG_BINARY' AS valueType, 'SDBbot...