Sophos Community - Connect, Learn, and Stay Secure

Latest Live Discover and Response Queries (All)

Live discover query to check offline and online devices for a period of time.

yenz User
- Device
- Under Review on 1 Sep 2025
- 0 Comments
Hi Team, Requesting your assistance if we have an available script to check devices that went offline for a specific period of time, since the reports page only contains 2 weeks + of offline devices. Thank you.
- 1 Sep 2025 2:09 AM
Sign in to vote on ideas
+1
Sign in to vote on ideas
Live Response: Return WindowsOS assets set NIC Gateway IP

Troden
- Live Response
- Under Review on 9 Aug 2024
- 1 Comment
G'Day Community, Does anyone know how I could run a live response query that can return the machine's Gateway IP on its configured NICs? I've run all the related network queries: Network Interface details, Network Interfaces, and Network Interface...
- 9 Aug 2024 9:02 AM
Sign in to vote on ideas
+1
Sign in to vote on ideas
Failed to found file with XDR Query

Dymar Support
- Files
- Under Review on 17 Jul 2024
- 3 Comments
Hi All I have tried this query on my sophos dashboard. However, there is no result but the files with zepto extension are existing in the below mentioned folder. SELECT filename,path,directory FROM file WHERE directory like 'D:\OKI 2 CMEIAH\MMP...
- 17 Jul 2024 3:01 AM
Sign in to vote on ideas
+1
Sign in to vote on ideas
XDR LiveDiscover. Query for NTLM authentication.

LMSIIATO
- Data Lake
- Under Review on 11 Jul 2024
- 0 Comments
Hello everyone, in my domain I would like to disable NTLM authentication. Before disabling it completely, I wanted to do an audit to see if any applications or servers were still using it. It would be nice to be able to make an OsQuery from livediscover...
- 11 Jul 2024 7:36 AM
Sign in to vote on ideas
+2
Sign in to vote on ideas
Data Lake Query missing query_name = system_info from xdr_table

BostjanR
- Data Lake
- Under Review on 17 Jun 2024
- 0 Comments
Hello, is there any option to add system_info endpoint query (and data) to Sophos data lake? Is there any valid reason that this info is not included by default by Sophos XDR? Is there any option to schedule this query on endpoints so that we can...
- 17 Jun 2024 9:10 AM
Sign in to vote on ideas
+1
Sign in to vote on ideas
Checking open ports on servers

Reem Jalal Eddine
- Network
- Under Review on 17 Apr 2024
- 1 Comment
Hi, I am wondering is there any way we can view what ports are open on each server, I mean not through firewall rules.
- 17 Apr 2024 2:43 PM
Sign in to vote on ideas
+1
Sign in to vote on ideas
[LiveDiscoverHelp] Memory_info table on os_query schema is missing for Windows while for Linux its available.

YenzLS
- Query Tips
- Complete on 29 Mar 2024
- 1 Comment
We have a script that will display system memory and load but is only available for Linux devices. Pre canned script = "System memory and load" Is there a script for windows devices that will display system memory and load? If so can you please provide...
- 26 Mar 2024 4:17 AM
Sign in to vote on ideas
+1
Sign in to vote on ideas
Add support for BypassIO in Windows storage filter driver

Playa
- Compliance
- Under Review on 2 Mar 2024
- 0 Comments
Hello, I hope i dont miss a thread already discussing this topic. Starting with Windows 10 1909 we have the ability to use DirectStorage, besides hardware requirements the software also needs to be capable of this. The storage filter driver of Sophos...
- 2 Mar 2024 5:26 PM
Sign in to vote on ideas
+2
Sign in to vote on ideas
cURL vulnerability - CVE-2023-38545

Qoosh
- Threat Hunting
- Approved on 19 Jan 2024
- 0 Comments
This is a live discover query. with file_list as ( select spj.cmd_line, sfj.path, sfj.file from sophos_file_journal as sfj join sophos_process_journal as spj on spj.sophos_pid = sfj.sophos_pid where sfj.subject = "FileBinaryReads" and sfj.event_type...
- 8 Jan 2024 7:30 PM
Sign in to vote on ideas
+2
Sign in to vote on ideas
Intercept X Advanced, Server Event Logs

AStaUK
- Events
- Under Review on 31 Dec 2023
- 3 Comments
I'm just getting started with Intercept X and when I was being demoed the product I'm sure one of the features I was shown was the ability to store the Windows Event Logs in the cloud. But so far I've not been able to achieve this or find any documentation...
- 31 Dec 2023 9:59 PM
Sign in to vote on ideas
+1
Sign in to vote on ideas

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

NDR Queries

Live discover query to check offline and online devices for a period of time.

Live Response: Return WindowsOS assets set NIC Gateway IP

Failed to found file with XDR Query

XDR LiveDiscover. Query for NTLM authentication.

Data Lake Query missing query_name = system_info from xdr_table

Checking open ports on servers

[LiveDiscoverHelp] Memory_info table on os_query schema is missing for Windows while for Linux its available.

Add support for BypassIO in Windows storage filter driver

cURL vulnerability - CVE-2023-38545

Intercept X Advanced, Server Event Logs