Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Sophos Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
More
Cancel
Sophos Endpoint
User
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Sophos Endpoint requires membership for participation - click to join
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.
New to Live Discover & Response queries? See
Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum
and
Sophos EDR Threat Hunting Framework
.
Note:
For more information on Live Discover, please check out our
Product Documentation
.
Navigate to a category below to browse and submit a query
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Compliance
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Data Lake
Browse Ideas in Category
By highest score
By date
By recent status change
Descending
Ascending
All ideas
Ideas you submitted
Ideas you voted on
With any status
With any open status
With any closed status
With held votes
Currently 'Completed (Brand-new content)'
Currently 'Completed (Content Update)'
Currently 'Completed (Minor Issue)'
Currently 'Approved'
Currently 'Under Review'
Currently 'Coming Soon'
Currently 'Not Planned'
Currently 'Complete'
Query for a user's web history
AitorBF
Under Review on
19 Jan 2022
0 Comments
I think a query of a user's web history would be helpful. I see it useful for when there has been a download, for example of a PUA, to be able to know which user and from which url has downloaded it. Do you think this is possible? Thank you so much...
19 Jan 2022 1:24 PM
Find Local Administrative Accounts
JeramyKopacko
Approved on
29 Nov 2021
1 Comment
It may be useful to do a search for local administrative accounts in your device fleet. You could grab timestamps of when accounts were created to gain more insight. SELECT username, groupname, type, u.UID, g.GID, Description, comment FROM users u...
30 Oct 2020 3:40 AM
EDR Query to find all local admins (Windows)
Jacob Jensen2
Under Review on
29 Nov 2021
17 Comments
I am searching for a way to query the local Administrators security group on every device in our environment. This seems like something Live Discover is capable of doing, but I haven't been able to figure out the OSQuery syntax to get it done. Right now...
18 Feb 2021 5:55 PM
Sophos EDR: Query that will show me all users and groups (including domain accounts) in the local Administrators group of a PC
Matt Schmitt
Under Review on
17 Feb 2022
2 Comments
I want to see any users or groups that have been added to the Local Administrators group on a PC. Including domain users and groups. I've been looking at this post: https://community.sophos.com/intercept-x-endpoint/i/user/edr-query-to-find-all-local...
17 Feb 2022 5:10 PM
Live Discovery Query: Identify new admin accounts
Karl Ackerman
Approved on
24 Nov 2021
1 Comment
REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...
10 Jun 2020 1:48 PM
[Datalake] Domain Admin Logins
rfrutiger
Under Review on
2 Nov 2022
0 Comments
I'm wanting to create a query against the datalake that would report logins by users in the Domain Admins active directory group. I have seen examples for locating local admins, but I haven't seen any information on getting information about domain admin...
2 Nov 2022 5:00 PM
10 queries for exploring windows events and security groups
Karl_Ackerman
Approved on
29 Nov 2021
0 Comments
REVIEWED by Sophos The Sophos UK Sales engineering team has been getting familiar with live discover. In the work they explored group policy and provided the following queries: Deleted security groups - Variable to specify the number of days to...
6 Jul 2020 7:25 PM
Live Discover Query - Authentication History for a User
AndyM
Approved on
24 Nov 2021
1 Comment
REVIEWED by Sophos This is a Windows-only query that looks at the system events logs to see logon history for users. This will show how a user is authenticated on Windows endpoints and servers. You can expect to see locally connected users (Interactive...
18 Jun 2020 4:05 PM
Sophos Central Live Discover "User account locked out" query missing timestamps
Sophos User2229
Under Review on
9 Jun 2022
8 Comments
"User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps? Knowing the event happened but not knowing when significantly hampers the investigation. Is...
9 Jun 2022 5:04 PM