Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Query for a user's web history

    AitorBF
    • Under Review on
    • 0 Comments
    I think a query of a user's web history would be helpful. I see it useful for when there has been a download, for example of a PUA, to be able to know which user and from which url has downloaded it. Do you think this is possible? Thank you so much...

  • Find Local Administrative Accounts

    JeramyKopacko
    • Approved on
    • 1 Comment
    It may be useful to do a search for local administrative accounts in your device fleet. You could grab timestamps of when accounts were created to gain more insight. SELECT username, groupname, type, u.UID, g.GID, Description, comment FROM users u...

  • EDR Query to find all local admins (Windows)

    Jacob Jensen2
    • Under Review on
    • 17 Comments
    I am searching for a way to query the local Administrators security group on every device in our environment. This seems like something Live Discover is capable of doing, but I haven't been able to figure out the OSQuery syntax to get it done. Right now...

  • Sophos EDR: Query that will show me all users and groups (including domain accounts) in the local Administrators group of a PC

    Matt Schmitt
    • Under Review on
    • 2 Comments
    I want to see any users or groups that have been added to the Local Administrators group on a PC. Including domain users and groups. I've been looking at this post: https://community.sophos.com/intercept-x-endpoint/i/user/edr-query-to-find-all-local...

  • Live Discovery Query: Identify new admin accounts

    Karl Ackerman
    • Approved on
    • 1 Comment
    REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...

  • [Datalake] Domain Admin Logins

    rfrutiger
    • Under Review on
    • 0 Comments
    I'm wanting to create a query against the datalake that would report logins by users in the Domain Admins active directory group. I have seen examples for locating local admins, but I haven't seen any information on getting information about domain admin...

  • 10 queries for exploring windows events and security groups

    Karl_Ackerman
    • Approved on
    • 0 Comments
    REVIEWED by Sophos The Sophos UK Sales engineering team has been getting familiar with live discover. In the work they explored group policy and provided the following queries: Deleted security groups - Variable to specify the number of days to...

  • Live Discover Query - Authentication History for a User

    AndyM
    • Approved on
    • 1 Comment
    REVIEWED by Sophos This is a Windows-only query that looks at the system events logs to see logon history for users. This will show how a user is authenticated on Windows endpoints and servers. You can expect to see locally connected users (Interactive...

  • Sophos Central Live Discover "User account locked out" query missing timestamps

    Sophos User2229
    • Under Review on
    • 8 Comments
    "User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps? Knowing the event happened but not knowing when significantly hampers the investigation. Is...
Unfiltered HTML