Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Query Deployed Integrations

    Qoosh
    • Other queries
    • Under Review on
    • 0 Comments
    This query will list all deployed MDR Integrations. SELECT sensor_type Integration_Category, sensor_vendor Vendor, COUNT(*) Records, CAST(CAST(SUM(upload_size)/1024.0 AS DECIMAL(10,2)) AS VARCHAR)||'KB' Data_uploaded, CAST(DATE_DIFF('hour...

  • [Datalake] Domain Admin Logins

    rfrutiger
    • User
    • Under Review on
    • 0 Comments
    I'm wanting to create a query against the datalake that would report logins by users in the Domain Admins active directory group. I have seen examples for locating local admins, but I haven't seen any information on getting information about domain admin...

  • [Sophos Firewall / Data Lake] Identify Attempts to Access Firewall by Country

    Matthew Ritchie
    • Network
    • Under Review on
    • 1 Comment
    SELECT device_model, --device_serial_id, --app_name AS ProtoPort, --in_interface,-- --src_mac,-- src_ip, dst_ip, src_country, log_type AS Source_Log, log_subtype AS Decision, src_port, dst_port --protocol-- FROM xgfw_data ...

  • mismatched input

    ekrem19
    • User
    • Complete on
    • 4 Comments
    Hi, I run the following query and had an error. I got the query from GitHub. https://github.com/Sophos-Community/XDR_Queries/commit/80a062e25426c9879b4b238cf889e93088e2e41f What could be wrong? Invalid sql: SELECT source, eventid, CAST(datetime...

  • Live Discover query to check installed Internet Explorer

    gb-hg
    • Device
    • Complete on
    • 1 Comment
    Hello all, I would be very interested if someone has a ready-made query to check an installed Internet Explorer on Windows clients/server? C:\Program Files\Internet Explorer\iexplore.exe Many thanks for your support!

  • Using Live Discover to determine TPM enabled devices

    Tenchima
    • Device
    • Complete on
    • 3 Comments
    Does anyone know of a SQL Query format in the Designer Mode in Live Discover that will allow me to query all Windows devices to determine which online systems have a TPM module? Thanks. -Andy

  • Query for Device Inventory

    Manny Singh
    • Device
    • Complete on
    • 1 Comment
    Hi Team, Would it be possible to query the below details for device : 1. DNS Name /FQDN 2. Logged in (Domain ) 3. Last logged in user 4. IP address 5. Group 6. Status 7. Operating system and version 9. Last update 10. Status 11....

  • XDR Data Lake Question

    JC2022
    • Device
    • Complete on
    • 2 Comments
    On XDR Data Lake query, can you find the public IP that the device is connected to? So far I've only seen the local IP or the IP that the device connects to. Thanks

  • Verify if an endpoint agent is on the new SDDS3 update mechanism

    Sylvain_Roy
    • Device
    • Approved on
    • 1 Comment
    This query will verify if the Sophos Endpoint Agent is on the new SDDS3 update mechanism. https://support.sophos.com/support/s/article/KB-000043550?language=en_US SDDSStatus will indicate if the endpoint is on SDDS2 or SDDS3. An SDDS3Ready status...

  • Query Local Administrators / Endpoint Query / DataLake Query

    Florian Garrecht
    • Data Lake
    • Under Review on
    • 1 Comment
    Hello Community! I'm looking for a solution to make use of the DateLake data (I'm still XDR / LiveDiscover newbie). I would like to query all local administrators of computers that do not have the default names. For this I already have a small query...
Unfiltered HTML