Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Ideas in Category
  • EDR Query to find all local admins (Windows)

    • Under Review
    I am searching for a way to query the local Administrators security group on every device in our environment. This seems like something Live Discover is capable of doing, but I haven't been able to figure out the OSQuery syntax to get it done. Right...
    • 22 Jun 2021 3:31 AM
  • Find Local Administrative Accounts

    • Approved
    • 1 Comment
    It may be useful to do a search for local administrative accounts in your device fleet. You could grab timestamps of when accounts were created to gain more insight. SELECT username, groupname, type, u.UID, g.GID, Description, comment FROM users...
    • 22 Jun 2021 3:25 AM
  • 10 queries for exploring windows events and security groups

    • Approved
    REVIEWED by Sophos The Sophos UK Sales engineering team has been getting familiar with live discover. In the work they explored group policy and provided the following queries: Deleted security groups - Variable to specify the number of days to...
    • 22 Jun 2021 3:04 AM
  • Live Discover Query - Authentication History for a User

    • Approved
    • 1 Comment
    REVIEWED by Sophos This is a Windows-only query that looks at the system events logs to see logon history for users. This will show how a user is authenticated on Windows endpoints and servers. You can expect to see locally connected users (Interactive...
    • 22 Jun 2021 3:44 AM
  • Live Discovery Query: Identify new admin accounts

    • Approved
    • 1 Comment
    REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...
    • 22 Jun 2021 3:02 AM