Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
If Sophos pre-defined queries aren't working, Sophos Support can help to ensure that data is uploaded from your devices to the Sophos Data Lake. Visit the support portal
For custom query assistance, please see Getting LD&R Community Support or contact Sophos Professional Services.
For more information on Live Discover, please check out our Product Documentation

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • LINUX Process Tree for Data Lake (SHORT)

    Karl_Ackerman
    • Anomalies
    • Approved on
    • 0 Comments
    -- FIXED PID RECYCLE PROBLEM With the Data lake and LINUX we have some challenges creating a Sophos PID. The issue is around time from the Linux Process Events Journal in OSQuery. It does not have accurate enough process start time information so we...

  • LINUX MITRE ATT&CK TTP Detector (DATA LAKE)

    Karl_Ackerman
    • Anomalies
    • Approved on
    • 0 Comments
    Below is a DATA LAKE QUERY for a basic LINUX and MAC OS TTP Detection query. It has multiple variables VARIABLES Number of hours to search STRING Verbosity 0-9 (use 10 for ALL) STRING device_name STRING mitre_id STRING tactic name STRING...

  • T1070.001 - Indicator Removal on Host: Clear Windows Event Logs - Removal of .evtx files

    EMK
    • ATT&CK
    • Complete on
    • 0 Comments
    MITRE Technique T1070.001 - "Indicator Removal on Host: Clear Windows Event Logs" - details adversaries may clear the Windows Event Logs, typically Security, to hide the activity of an intrusion. One should therefore be mindful of tools such as wevtutil...

  • Port scan detection using Sophos Firewall data in the Data Lake

    Marcel
    • Data Lake
    • Approved on
    • 4 Comments
    In this query I correlate 'Appliace Access' log entries logged by the Sophos Firewall to see if someone ran a port scan against my IP address / appliance. -- VARIABLE $$Ports_Seen_Threshold$$ String -- Ignoring log entries with src_port 53 (DNS) due...

  • Figure out the original process that triggered a network connection (not swi_fc.exe)

    reg1nleifr
    • Network
    • Approved on
    • 4 Comments
    Hello, I've been using the following query for some time to figure out the processes related to a network connection (getting suspicious network connection from other security products as input): # $$startTime$$ - Date # $$endTime$$ - Date # $$uri...

  • Receiving ACL for SAM file not working

    Dennis Barnekow
    • Threat Hunting
    • Under Review on
    • 0 Comments
    Hi, I created this query to check which of our systems are effected by serious SAM vulnerability. When I fire the query I not receive any data back. Does someone know what I did wrong? SELECT * FROM ntfs_acl_permissions WHERE path like 'C:\Windows...

  • Query for PetitPotam Events

    JeramyKopacko
    • Threat Hunting
    • Under Review on
    • 4 Comments
    Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack We can quickly identify this by searching for the event logs with the following: SELECT datetime(time, 'unixepoch', 'localtime...

  • Query for PetitPotam Conditions

    JeramyKopacko
    • Threat Hunting
    • Under Review on
    • 0 Comments
    This query will search if your environment has the conditions to be exposed by the recent "PetitPotam" vulnerability as described here: https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/ This will...

  • MITRE TTP Hunting across Linux

    AzRoN
    • Data Lake
    • Approved on
    • 0 Comments
    Thanks to Karl A for the help on this one, and sourcing information from the Purple Team Field Manual for the rlevant TTPs. This query will do a broad sweep of observed activites originating from Linux assets and align them with MITRE ATT&CK TTPs. We...

  • HiveNightmare aka SeriousSAM vulnerability query

    SecBug
    • Threat Hunting
    • Under Review on
    • 1 Comment
    The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable...
Unfiltered HTML