Navigate to a category below to browse and submit a query

Hello Community! I'm looking for a solution to make use of the DateLake data (I'm still XDR / LiveDiscover newbie). I would like to query all local administrators of computers that do not have the default names. For this I already have a small query...

"User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps? Knowing the event happened but not knowing when significantly hampers the investigation. Is...

SELECT ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.meta_hostname), CHR(10)) AS ep_list, COUNT(DISTINCT windows_processes.meta_hostname) AS ep_count, windows_processes.name AS process_name, windows_processes.path AS path, windows_processes...

This query will use the Sophos Central Email Maiflow connector (avail for Office 365) data to search for a specific URL in your users mail. This may be useful to see how many people saw a certain link or identify who may have interacted with it. -...

Hi, I am looking for a way to have a query to detect all activity of NetBIOS and IPv6. These two ports need to be disabled on all network devices so I am looking for a query I can run on a monthly basis to confirm these ports are disabled. From...

I am trying to determine what process is generating outbound SMB traffic on a system. I can see the traffic in the firewall logs, but when I use the query below, nothing comes up. It doesn't matter which system I check, or whether I use port 137 or 445...

Cannot get results back from online rules (based on this https://community.sophos.com/intercept-x-endpoint/b/blog/posts/yara-scanning-rules-with-sophos-xdr ) so tried the simplest osquery I could think of: SELECT * FROM yara WHERE path = 'c:\windows...

Hi Team, Here is a Live Discover Query for all DNS requests in a particular time frame from a device. You can use % for all processes or search for a particular process. -- DNS Lookups by Process -- $$Start Time$$ DATE -- $$End Time$$ DATE -- $...

Hello, I would like to know if it is possible to make a query to show devices where there is a specific file in the Data Lake. Thank you

Hello, I would like suggestions regarding how to put together a query to find MD5 hashes. There is a built-in query called Processes matching SHA-256 hashes in the last 30 days (below), but I would like to search for MD5 hashes not SHA-256, since...