Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
If Sophos pre-defined queries aren't working, Sophos Support can help to ensure that data is uploaded from your devices to the Sophos Data Lake. Visit the support portal
For custom query assistance, please see Getting LD&R Community Support or contact Sophos Professional Services.
For more information on Live Discover, please check out our Product Documentation

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Identify all portable executables deployed or modified by a process name over time

    Karl_Ackerman
    • Anomalies
    • Approved on
    • 0 Comments
    REVIEWED by Sophos For this query we want to identify all portable executables that have been written to the device. We have some variables so if you want to can look for the Portable Executables created by a specific process %powershell% or all processes...

  • 10 queries for exploring windows events and security groups

    Karl_Ackerman
    • User
    • Approved on
    • 0 Comments
    REVIEWED by Sophos The Sophos UK Sales engineering team has been getting familiar with live discover. In the work they explored group policy and provided the following queries: Deleted security groups - Variable to specify the number of days to...

  • Simple query to audit Microsoft RDP enablement status (from registry)

    AndrewMundell
    • Device
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Just a quick query to audit the state of MS RDP via the registry, uncomment (remove the 2 leading '--' from the last line) to return only machines where RDP is enabled. SELECT CASE WHEN data = 0 then 'RDP Enabled' WHEN data...

  • Detecting IOCs from ACSC 2020-008 The Copy-Paste Compromise Notification

    AzRoN
    • Threat Hunting
    • Under Review on
    • 1 Comment
    REVIEWED by Sophos Hello all The Australian Federal Government recently issued a warning to all Australian's that we're under an increasing number of cyber attacks. Although this served as a general wanring to everyone, the Australia Cyber Security...

  • Live Discover - PowerShell command audit

    jak
    • Processes
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Hello Threat Hunters! I mentioned in this post: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/120201/live-response---command-audit/ how you could audit the history of PowerShell...

  • Live Discover Query - MAC address list

    AndyM
    • Network
    • Approved on
    • 2 Comments
    REVIEWED by Sophos A simple one for listing the interfaces of devices and their MAC addresses. Potentially handy if you need to check DHCP logs, firewall logs, or update your WIFI MAC filtering list. SELECT description "Desc", mac "MAC" FROM interface_details...

  • Live Discover Query - Authentication History for a User

    AndyM
    • User
    • Approved on
    • 1 Comment
    REVIEWED by Sophos This is a Windows-only query that looks at the system events logs to see logon history for users. This will show how a user is authenticated on Windows endpoints and servers. You can expect to see locally connected users (Interactive...

  • Live Discover Query - CPU Usage (Weighted)

    AndyM
    • Device
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...

  • Detecting Kingminer IOCs

    Karl_Ackerman
    • Threat Hunting
    • Approved on
    • 2 Comments
    REVIEWED by Sophos See the story from Sophos Labs Uncut on KingMiner: https://news.sophos.com/en-us/2020/06/09/kingminer-report/ The article is both educational and enlightening. One of the aspects of KingMiner that is common with other attacks is...

  • Live Discovery Query: Identify new admin accounts

    Karl Ackerman
    • User
    • Approved on
    • 1 Comment
    REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...
Unfiltered HTML