Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
Support for built in queries is provided by Sophos Support. Visit the support portal
For more information on Live Discover, please check out our Product Documentation
For custom query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Using Live Response to investigate Sophos Services & their CPU utilization

    Bhaumik Gohel
    • Live Response
    • Approved on
    • 0 Comments
    Initial Steps: The given Powershell script will run from Live Response as well as from powershell prompt. There's no obligation to have elevated privilege to run this script. After opening command prompt enter "powershell" Copy paste the complete...

  • Find only new created files by extension

    LHerzog
    • Files
    • Under Review on
    • 0 Comments
    Hi, I did a copy of the default live query: File access history I'm only interested in new files that have been created in that timeframe. The demand is a bit like the default " New applications deployed " query. But not only for applications. ...

  • Custom Live Discover Query

    Lee Fellows
    • Data Lake
    • Under Review on
    • 0 Comments
    We have an issue where our custom SQL query to search for a file on an endpoint sometimes returns data and then other times will not, even though the file still exists on the system. Has anyone ever come across this before?

  • Sophos Central Azure AD, MFA Device Registration

    Javis Walker
    • Queries
    • Under Review on
    • 0 Comments
    Is it possible to query for new MFA device registration for an user in azure ad?

  • Record_Type in M365 Schema

    Javis Walker
    • Queries
    • Under Review on
    • 0 Comments
    How is the record_type field value determined? In the schema there is no description.

  • Sophos Central Query

    Javis Walker
    • Queries
    • Under Review on
    • 0 Comments
    Is it possible to query for new MFA device registration on an Azure AD account?

  • Sysmon logs investigation through Sophos XDR

    Bhinang Tejani
    • Live Response
    • Under Review on
    • 0 Comments
    Is it possible to enable sysmon logging in windows and then capture all logs to Sophos XDR and use it for threat detection?

  • PaperCut Activity Hunt

    JeramyKopacko
    • Data Lake
    • Approved on
    • 0 Comments
    This is sourced directly from Sophos MDR: Increased exploitation of PaperCut drawing blood around the Internet – Sophos News PaperCut IoC List: IoCs/papercut-nday-indicators-of-compromise.csv at master · sophoslabs/IoCs · GitHub SELECT date_format...

  • Snowflake Reference Table

    digital specz
    • Data Lake
    • Under Review on
    • 0 Comments
    How to create a reference table in Snowflake that picks up the column name and the column value together as a result to be referenced in another SQL Query ?

  • Scan for Old Sophos Connect Client

    Qoosh
    • Device
    • Under Review on
    • 0 Comments
    This query will return all devices that don’t have the latest version of the Sophos Connect Client installed. This is a Live Discover Query for Windows devices. SELECT name, version, install_location FROM programs WHERE name like 'Sophos Connect' and...
Unfiltered HTML