3CX DLL-Sideloading attack: What you need to know

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Scan for Old Sophos Connect Client

    Qoosh
    • Device
    • Under Review on
    • 0 Comments
    This query will return all devices that don’t have the latest version of the Sophos Connect Client installed. This is a Live Discover Query for Windows devices. SELECT name, version, install_location FROM programs WHERE name like 'Sophos Connect' and...

  • New to the data lake - Is it possible to get the revision of windows, as well as the build number?

    Brian Adgey
    • Device
    • Complete on
    • 1 Comment
    Hi, im just wondering if the revision of a windows machine is also uploaded to the datalake. I have had a look at the schema and i cannot see it contained within it. If it its not in the datalake, can it be live queried from a machine?

  • Browser History

    Parag Shukla
    • Device
    • Complete on
    • 1 Comment
    Hi Team, For the hunting purpose is it possible can we get browser history from the end user's system. If someone knows about related osquesry please share. I was trying with SELECT * FROM chrome_history LIMIT 10 ; but no luck.

  • Query Deployed Integrations

    Qoosh
    • Other queries
    • Approved on
    • 0 Comments
    This query will list all deployed MDR Integrations. SELECT sensor_type Integration_Category, sensor_vendor Vendor, COUNT(*) Records, CAST(CAST(SUM(upload_size)/1024.0 AS DECIMAL(10,2)) AS VARCHAR)||'KB' Data_uploaded, CAST(DATE_DIFF('hour...

  • [Datalake] Domain Admin Logins

    rfrutiger
    • User
    • Under Review on
    • 0 Comments
    I'm wanting to create a query against the datalake that would report logins by users in the Domain Admins active directory group. I have seen examples for locating local admins, but I haven't seen any information on getting information about domain admin...

  • [Sophos Firewall / Data Lake] Identify Attempts to Access Firewall by Country

    Matthew Ritchie
    • Network
    • Under Review on
    • 1 Comment
    SELECT device_model, --device_serial_id, --app_name AS ProtoPort, --in_interface,-- --src_mac,-- src_ip, dst_ip, src_country, log_type AS Source_Log, log_subtype AS Decision, src_port, dst_port --protocol-- FROM xgfw_data ...

  • mismatched input

    ekrem19
    • User
    • Complete on
    • 4 Comments
    Hi, I run the following query and had an error. I got the query from GitHub. https://github.com/Sophos-Community/XDR_Queries/commit/80a062e25426c9879b4b238cf889e93088e2e41f What could be wrong? Invalid sql: SELECT source, eventid, CAST(datetime...

  • Live Discover query to check installed Internet Explorer

    gb-hg
    • Device
    • Complete on
    • 1 Comment
    Hello all, I would be very interested if someone has a ready-made query to check an installed Internet Explorer on Windows clients/server? C:\Program Files\Internet Explorer\iexplore.exe Many thanks for your support!

  • Using Live Discover to determine TPM enabled devices

    Tenchima
    • Device
    • Complete on
    • 3 Comments
    Does anyone know of a SQL Query format in the Designer Mode in Live Discover that will allow me to query all Windows devices to determine which online systems have a TPM module? Thanks. -Andy

  • Query for Device Inventory

    Manny Singh
    • Device
    • Complete on
    • 1 Comment
    Hi Team, Would it be possible to query the below details for device : 1. DNS Name /FQDN 2. Logged in (Domain ) 3. Last logged in user 4. IP address 5. Group 6. Status 7. Operating system and version 9. Last update 10. Status 11....
Unfiltered HTML