Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Query - IOC´s From GitHub list

    Rafael Moura
    • Under Review on
    • 2 Comments
    /* Desc: Number of Hours of activity to search / TYPE: String / SQLVAR: $$Number of Hours of activity to search$$ Desc: RAW IOC List location from a URL / TYPE: String / SQLVAR: $$RAW IOC List location from a URL$$ / Value: ... Desc: Start Search From...

  • Detecting IOCs from ACSC 2020-008 The Copy-Paste Compromise Notification

    AzRoN
    • Under Review on
    • 1 Comment
    REVIEWED by Sophos Hello all The Australian Federal Government recently issued a warning to all Australian's that we're under an increasing number of cyber attacks. Although this served as a general wanring to everyone, the Australia Cyber Security...

  • Live Discover Query - Malware persistence

    Guido Denzler
    • Approved on
    • 2 Comments
    REVIEWED by Sophos Below are a few basic queries for pulling back data from places that malware likes to use for persistence. First up Registry Run keys: SELECT r . path , r . name , r . data , REPLACE ( REPLACE ( REPLACE ( REGEX_SPLIT ( r . data...

  • Compare IP activity to Remote List of IOC IP addresses

    Spencer_Brown
    • Under Review on
    • 0 Comments
    Utilizing a post from Karl_Ackerman and the precanned queries in Sophos Central, here is a query that can pull down a remote csv table, and join it to the sophos_ip_journal. It takes one variable: URL -- String -- $$URL$$ In this use case, I took...

  • T1078 - CVE-2020-1472 - Netlogon

    JeramyKopacko
    • Under Review on
    • 0 Comments
    This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs. This query will search and detect Windows vulnerability affecting the Netlogon feature. Sophos Security Bulletin: https://community.sophos.com...

  • FORCEDENTRY Big Sur 11.6 Version Check

    Jainidhya Rajpal
    • Under Review on
    • 0 Comments
    SELECT CASE WHEN version = '11.6' THEN 'Not Vulnerable to FORCEDENTRY' ELSE 'Vulnerable | Upgrade to 11.6' END AS BigSurCheck FROM os_version WHERE major = '11'

  • Yara rules not returning results

    Chris Smith4
    • Under Review on
    • 0 Comments
    Cannot get results back from online rules (based on this https://community.sophos.com/intercept-x-endpoint/b/blog/posts/yara-scanning-rules-with-sophos-xdr ) so tried the simplest osquery I could think of: SELECT * FROM yara WHERE path = 'c:\windows...

  • Live Discover Query - Vulnerability check for ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

    Karl_Ackerman
    • Approved on
    • 2 Comments
    REVIEWED by Sophos Windows has a zero-day that won’t be patched for weeks Well another day another zero day vulnerability. Today I am looking at how to best create a vulnerability check given information in a CVE and a Microsoft Notification. In this...

  • Live Discover Query - SDBot Malware - RAT

    Jordon Carpenter
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Here is a specific query identifying SDBot Malware used by the TA505 hacking group: SELECT DISTINCT srj.time AS event_timestamp, srj.keyName, srj.value, srj.eventType, srj.sophosPID, srj.valueName, 'REG_BINARY' AS valueType, 'SDBbot...
Unfiltered HTML