Sophos Community
Sophos Community
  • User
  • Site
  • Search
  • User
  • Community & Product Forums
  • Community Blogs
  • Partners
  • Support Portal
  • Get started
  • Blogs
    • Sophos Community Blog
    • Sophos Endpoint
    • Sophos Firewall
    • Zero Trust Network Access
    • Sophos Switch
    • UTM Firewall
    • Sophos Wireless
    • Sophos Central
    • Sophos Cloud Optix
    • Sophos Central API
    • Sophos Factory
    • Sophos Email
  •  
    • Phish Threat
    • Sophos XDR
    • Sophos Mobile
    • On-Premise Endpoint
    • Encryption
    • Sophos Partners
    • Support Portal Feedback
    • Product Documentation Blog
    • SophosLabs
    • Free Tools
    • Sophos Integrations
  • Products
    • Endpoint Security
      • Endpoint protection - next-gen antivirus
      • Endpoint detection and response (XDR)
      • Mobile security
    • Email Security
      • Sophos Email
      • Phish Threat
    • Network Security
      • Sophos Firewall
      • UTM firewall
      • Zero trust network access (ZTNA)
      • Network detection and response (NDR)
      • Sophos Switch
      • Sophos Wireless
    • Cloud Security
      • Sophos Central
      • Sophos Cloud Optix
    • Sophos Home Premium
      • Sophos Home portal
    • Support Tools
      • Sophos integrations
      • Free tools
  • Services
    • Management platform
      • Sophos Central - sign in
      • Support portal - sign in
      • Community - sign in
  • Sophos Partners
    • Partners Corner
    • Partner blogs
    • Webinars and Events
  • Member Recognition
    • Community Leaderboards
    • Sophos Central login
    • Partner care
  • Become a partner
    • Join our program
  • Sophos Community: Getting started
    • How to get started
    • Frequently Asked Questions (FAQs)
    • SophosID Registration
    • How to contribute and participate
    • How to set up your profile
  •  
    • How to manage friends
    • How to manage private messages
    • How to manage digests, subscriptions, and notifications
    • Terms and Conditions of Use
  • Products and Services
    • Products
      • Endpoint Security
        • Endpoint protection - next-gen antivirus
        • Endpoint detection and response (XDR)
        • Mobile security
      • Email Security
        • Sophos Email
        • Phish Threat
      • Network Security
        • Sophos Firewall
        • UTM firewall
        • Zero trust network access (ZTNA)
        • Network detection and response (NDR)
        • Sophos Switch
        • Sophos Wireless
      • Cloud Security
        • Sophos Central
        • Sophos Cloud Optix
      • Sophos Home Premium
        • Sophos Home portal
      • Support Tools
        • Sophos integrations
        • Free tools
    • Services
      • Management platform
        • Sophos Central - sign in
        • Support portal - sign in
        • Community - sign in
  • Community Blogs
    • Blogs List 1
      • Sophos Community Blog
      • Sophos Endpoint
      • Sophos Firewall
      • Zero Trust Network Access
      • Sophos Switch
      • UTM Firewall
      • Sophos Wireless
      • Sophos Central
      • Sophos Cloud Optix
      • Sophos Central API
      • Sophos Factory
      • Sophos Email
    • Blogs List 2
      • Phish Threat
      • Sophos XDR
      • Sophos Mobile
      • On-Premise Endpoint
      • Encryption
      • Sophos Partners
      • Support Portal Feedback
      • Product Documentation Blog
      • SophosLabs
      • Free Tools
      • Sophos Integrations
  • Partners
    • Sophos Partners
      • Partners Corner
      • Partner blogs
      • Webinars and Events
    • Member Recognition
      • Community Leaderboards
      • Sophos Central login
      • Partner care
    • Become a partner
      • Join our program
  • Support Portal
  • Get started
    • Sophos Community: Getting started
      • How to get started
      • Frequently Asked Questions (FAQs)
      • SophosID Registration
      • How to contribute and participate
      • How to set up your profile
      • How to manage friends
      • How to manage private messages
      • How to manage digests, subscriptions, and notifications
      • Terms and Conditions of Use
Sophos Endpoint
Sophos Endpoint
Live Discover Query Forum Live Discover & Response Query Forum
  • Release Notes & News
  • Discussions
  • Recommended Reads
  • Early Access Programs
  • Threat Hunting Academy
  • Live Discover Query Forum
  • More
  • Cancel
  • New
Sophos Endpoint requires membership for participation - click to join
Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
⁃ Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
⁃ Query Corner Announcement and Master Index.

Notes:
If Sophos pre-defined queries aren't working, Sophos Support can help to ensure that data is uploaded from your devices to the Sophos Data Lake. Visit the support portal
For custom query assistance, please see Getting LD&R Community Support or contact Sophos Professional Services.
For more information on Live Discover, please check out our Product Documentation

Sophos Community XDR Queries on GitHub


Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
  • Uncategorized

  • Anomalies

  • ATT&CK

  • Cloud Optix

  • Compliance

  • Data Lake

  • Device

  • Email

  • Events

  • Files

  • Live Response

  • Network

  • Other queries

  • Processes

  • Query Tips

  • Registry

  • Threat Hunting

  • User

  • NDR Queries

Latest Live Discover and Response Queries (All)
  • LINUX Process Tree for Data Lake (SHORT)

    Karl_Ackerman
    Karl_Ackerman
    • Anomalies
    • Approved on 18 Jan 2022
    • 0 Comments
    -- FIXED PID RECYCLE PROBLEM With the Data lake and LINUX we have some challenges creating a Sophos PID. The issue is around time from the Linux Process Events Journal in OSQuery. It does not have accurate enough process start time information so we...
    • 16 Aug 2021 2:43 AM
  • LINUX MITRE ATT&CK TTP Detector (DATA LAKE)

    Karl_Ackerman
    Karl_Ackerman
    • Anomalies
    • Approved on 18 May 2022
    • 0 Comments
    Below is a DATA LAKE QUERY for a basic LINUX and MAC OS TTP Detection query. It has multiple variables VARIABLES Number of hours to search STRING Verbosity 0-9 (use 10 for ALL) STRING device_name STRING mitre_id STRING tactic name STRING...
    • 16 Aug 2021 2:37 AM
  • T1070.001 - Indicator Removal on Host: Clear Windows Event Logs - Removal of .evtx files

    EMK
    EMK
    • ATT&CK
    • Complete on 18 May 2022
    • 0 Comments
    MITRE Technique T1070.001 - "Indicator Removal on Host: Clear Windows Event Logs" - details adversaries may clear the Windows Event Logs, typically Security, to hide the activity of an intrusion. One should therefore be mindful of tools such as wevtutil...
    • 14 Aug 2021 2:09 PM
  • Port scan detection using Sophos Firewall data in the Data Lake

    Marcel
    Marcel
    • Data Lake
    • Approved on 19 May 2022
    • 4 Comments
    In this query I correlate 'Appliace Access' log entries logged by the Sophos Firewall to see if someone ran a port scan against my IP address / appliance. -- VARIABLE $$Ports_Seen_Threshold$$ String -- Ignoring log entries with src_port 53 (DNS) due...
    • 4 Aug 2021 9:16 AM
  • Figure out the original process that triggered a network connection (not swi_fc.exe)

    reg1nleifr
    reg1nleifr
    • Network
    • Approved on 18 May 2022
    • 4 Comments
    Hello, I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input): # $$startTime$$ - Date # $$endTime$$ - Date # $$uri...
    • 2 Aug 2021 1:03 PM
  • Receiving ACL for SAM file not working

    Dennis Barnekow
    Dennis Barnekow
    • Threat Hunting
    • Under Review on 30 Jul 2021
    • 0 Comments
    Hi, I created this query to check which of our systems are effected by serious SAM vulnerability. When I fire the query I not receive any data back. Does someone know what I did wrong? SELECT * FROM ntfs_acl_permissions WHERE path like 'C:\Windows...
    • 30 Jul 2021 9:26 AM
  • Query for PetitPotam Events

    JeramyKopacko
    JeramyKopacko
    • Threat Hunting
    • Under Review on 28 Jul 2021
    • 4 Comments
    Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack We can quickly identify this by searching for the event logs with the following: SELECT datetime(time, 'unixepoch', 'localtime...
    • 28 Jul 2021 1:56 PM
  • Query for PetitPotam Conditions

    JeramyKopacko
    JeramyKopacko
    • Threat Hunting
    • Under Review on 27 Jul 2021
    • 0 Comments
    This query will search if your environment has the conditions to be exposed by the recent "PetitPotam" vulnerability as described here: https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/ This will...
    • 27 Jul 2021 7:47 AM
  • MITRE TTP Hunting across Linux

    AzRoN
    AzRoN
    • Data Lake
    • Approved on 29 Dec 2021
    • 0 Comments
    Thanks to Karl A for the help on this one, and sourcing information from the Purple Team Field Manual for the rlevant TTPs. This query will do a broad sweep of observed activites originating from Linux assets and align them with MITRE ATT&CK TTPs. We...
    • 26 Jul 2021 5:31 PM
  • HiveNightmare aka SeriousSAM vulnerability query

    SecBug
    SecBug
    • Threat Hunting
    • Under Review on 22 Jul 2021
    • 1 Comment
    The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable...
    • 22 Jul 2021 11:43 AM
<>
Unfiltered HTML
  • Getting started
  • Legal
  • Privacy
  • Cookies

© 1997 - 2024 Sophos Ltd. All rights reserved.