Community & Product Forums
Intercept X Endpoint
Sophos (XG) Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Sophos Partners Group
Intercept X Endpoint
Release Notes & News
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
Sophos EDR Threat Hunting Framework
For more information on Live Discover, please check out our
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Browse Ideas in Category
By highest score
By recent status change
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
EDR Query to find all local admins (Windows)
I am searching for a way to query the local Administrators security group on every device in our environment. This seems like something Live Discover is capable of doing, but I haven't been able to figure out the OSQuery syntax to get it done. Right...
22 Jun 2021 3:31 AM
Find Local Administrative Accounts
It may be useful to do a search for local administrative accounts in your device fleet. You could grab timestamps of when accounts were created to gain more insight. SELECT username, groupname, type, u.UID, g.GID, Description, comment FROM users...
22 Jun 2021 3:25 AM
10 queries for exploring windows events and security groups
REVIEWED by Sophos The Sophos UK Sales engineering team has been getting familiar with live discover. In the work they explored group policy and provided the following queries: Deleted security groups - Variable to specify the number of days to...
22 Jun 2021 3:04 AM
Live Discover Query - Authentication History for a User
REVIEWED by Sophos This is a Windows-only query that looks at the system events logs to see logon history for users. This will show how a user is authenticated on Windows endpoints and servers. You can expect to see locally connected users (Interactive...
22 Jun 2021 3:44 AM
Live Discovery Query: Identify new admin accounts
REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...
22 Jun 2021 3:02 AM