Sophos Community
Sophos Community
  • Site
  • User
  • Site
  • Search
  • User
  • Community & Product Forums
    • Intercept X Endpoint
    • Sophos Firewall
    • Sophos Central
    • Sophos Factory
    • Sophos Mobile
    • Sophos Cloud Optix
    • Sophos Sensor
    • Sophos Switch
    • Sophos Wireless
    • Sophos Email
    • UTM Firewall
  • Community Blogs & Events
    • Sophos Community Blog
    • Community Security Blog
    • Product Documentation Blog
    • Application Control
  • Getting Started
  • Sophos Partners
    • Sophos Partners Group
  • Member Recognition
    • Community Leaderboards
  • Sophos Techvids
  • Product Documentation
    • Visit docs.sophos.com
  • Support Portal
    • Sophos.com
  • More
  • Cancel
Intercept X Endpoint
Intercept X Endpoint
Live Discover & Response Query Forum Live Discover & Response Query Forum
  • Release Notes & News
  • Discussions
  • Recommended Reads
  • Threat Hunting Academy
  • Early Access Programs
  • Live Discover & Response Query Forum
  • More
  • Cancel
  • New
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
⁃ Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
⁃ Query Corner Announcement and Master Index.

Note: For more information on Live Discover, please check out our Product Documentation

Sophos Community XDR Queries on GitHub


Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
  • Uncategorized

  • Anomalies

  • ATT&CK

  • Cloud Optix

  • Compliance

  • Data Lake

  • Device

  • Email

  • Events

  • Files

  • Live Response

  • Network

  • Other queries

  • Processes

  • Query Tips

  • Registry

  • Threat Hunting

  • User

Latest Live Response and Discover Queries (All)
  • Query Local Administrators / Endpoint Query / DataLake Query

    Florian Garrecht
    Florian Garrecht
    • Data Lake
    • Under Review on 27 Jun 2022
    • 1 Comment
    Hello Community! I'm looking for a solution to make use of the DateLake data (I'm still XDR / LiveDiscover newbie). I would like to query all local administrators of computers that do not have the default names. For this I already have a small query...
    • 27 Jun 2022 12:03 PM
  • Sophos Central Live Discover "User account locked out" query missing timestamps

    Sophos User2229
    Sophos User2229
    • User
    • Under Review on 9 Jun 2022
    • 8 Comments
    "User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps? Knowing the event happened but not knowing when significantly hampers the investigation. Is...
    • 9 Jun 2022 5:04 PM
  • Hunting query for follina 0-click RCE - not optimised for performance

    reg1nleifr
    reg1nleifr
    • Data Lake
    • Approved on 3 Jun 2022
    • 3 Comments
    SELECT ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.meta_hostname), CHR(10)) AS ep_list, COUNT(DISTINCT windows_processes.meta_hostname) AS ep_count, windows_processes.name AS process_name, windows_processes.path AS path, windows_processes...
    • 1 Jun 2022 7:22 AM
  • Search mail flow logs for specific URL

    JeramyKopacko
    JeramyKopacko
    • Email
    • Approved on 19 May 2022
    • 0 Comments
    This query will use the Sophos Central Email Maiflow connector (avail for Office 365) data to search for a specific URL in your users mail. This may be useful to see how many people saw a certain link or identify who may have interacted with it. -...
    • 19 May 2022 5:09 PM
  • Scanning for activity of IPv6 and NetBIOS

    Christopher Danby
    Christopher Danby
    • Network
    • Under Review on 9 May 2022
    • 1 Comment
    Hi, I am looking for a way to have a query to detect all activity of NetBIOS and IPv6. These two ports need to be disabled on all network devices so I am looking for a query I can run on a monthly basis to confirm these ports are disabled. From...
    • 9 May 2022 1:57 PM
  • Outbound SMB Traffic

    Albert Straniti
    Albert Straniti
    • Network
    • Approved on 18 May 2022
    • 1 Comment
    I am trying to determine what process is generating outbound SMB traffic on a system. I can see the traffic in the firewall logs, but when I use the query below, nothing comes up. It doesn't matter which system I check, or whether I use port 137 or 445...
    • 28 Apr 2022 5:08 PM
  • Yara rules not returning results

    Chris Smith4
    Chris Smith4
    • Threat Hunting
    • Under Review on 19 Apr 2022
    • 0 Comments
    Cannot get results back from online rules (based on this https://community.sophos.com/intercept-x-endpoint/b/blog/posts/yara-scanning-rules-with-sophos-xdr ) so tried the simplest osquery I could think of: SELECT * FROM yara WHERE path = 'c:\windows...
    • 19 Apr 2022 10:16 PM
  • Live Discover Query for all DNS requests in a time frame with process (ZTNA App discover)

    LuCar Toni
    LuCar Toni
    • Uncategorized
    • Approved on 4 Apr 2022
    • 0 Comments
    Hi Team, Here is a Live Discover Query for all DNS requests in a particular time frame from a device. You can use % for all processes or search for a particular process. -- DNS Lookups by Process -- $$Start Time$$ DATE -- $$End Time$$ DATE -- $...
    • 4 Apr 2022 8:54 AM
  • show devices where exist a file with a specific hash

    Giulia Zambetti
    Giulia Zambetti
    • Files
    • Complete on 18 May 2022
    • 1 Comment
    Hello, I would like to know if it is possible to make a query to show devices where there is a specific file in the Data Lake. Thank you
    • 29 Mar 2022 12:41 PM
  • Query for MD5 hashes

    Abdullah Lababidi
    Abdullah Lababidi
    • Threat Hunting
    • Under Review on 23 Mar 2022
    • 3 Comments
    Hello, I would like suggestions regarding how to put together a query to find MD5 hashes. There is a built-in query called Processes matching SHA-256 hashes in the last 30 days (below), but I would like to search for MD5 hashes not SHA-256, since...
    • 23 Mar 2022 10:02 PM
>
Unfiltered HTML
  • Getting started
  • Legal
  • Privacy
  • Cookies

© 1997 - 2022 Sophos Ltd. All rights reserved.