Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
If Sophos pre-defined queries aren't working, Sophos Support can help to ensure that data is uploaded from your devices to the Sophos Data Lake. Visit the support portal
For custom query assistance, please see Getting LD&R Community Support or contact Sophos Professional Services.
For more information on Live Discover, please check out our Product Documentation

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Last reboot time (Uptime)

    MichaelCurtis
    • Data Lake
    • Approved on
    • 0 Comments
    SELECT meta_hostname, MAX(meta_boot_time) AS EPOC, DATE_FORMAT(FROM_UNIXTIME(MAX(meta_boot_time)), '%Y-%m-%dT%H:%i:%SZ') AS Last_Reboot_Time FROM XDR_DATA GROUP BY meta_hostname ORDER BY Last_Reboot_Time ASC This query will report the last reboot date...

  • Software install count by version

    MichaelCurtis
    • Data Lake
    • Approved on
    • 1 Comment
    -- Software list temp table WITH software_temp AS ( SELECT DISTINCT name, MAX(version) AS version, meta_hostname FROM xdr_data WHERE query_name = 'windows_programs' Group BY name, meta_hostname ) select name AS Software_Title, version ,COUNT(version)...

  • Find out of date software

    MichaelCurtis
    • Data Lake
    • Approved on
    • 0 Comments
    -- Variables -- $$Software_Name$$ - String - Name of out of date software you are looking for -- $$Software_Version$$ - Latest version number. The query will return the software NOT running this version -- Software list temp table WITH software_temp AS...

  • List of installed software

    MichaelCurtis
    • Data Lake
    • Approved on
    • 0 Comments
    SELECT meta_hostname AS Hostname, name AS Software_Title, MAX(version) AS Version FROM xdr_data WHERE query_name = 'windows_programs' GROUP BY name, meta_hostname ORDER BY meta_hostname, name This query will list all the software installed on all...

  • Check the Flaw in AMD Platform Security Processor, CVE-2021-26333

    RaviSoni
    • Device
    • Approved on
    • 0 Comments
    The below query checks for the Flaw in the AMD PSP, CVE-2021-26333 if the system is vulnerable or not and print the appropriate message. -- Check the Flaw in AMD Platform Security Processor, CVE-2021-26333 SELECT CASE WHEN (SELECT 1 FROM cpu_info...

  • Show the % free disk space - DATA LAKE

    Victor Domingo
    • Queries
    • Under Review on
    • 1 Comment
    Please i need the query for Show the % free disk space on DATA LAKE. Its possible???? Thanks

  • OMIGOD Vulnerability | OMI version check

    Jainidhya Rajpal
    • Device
    • Approved on
    • 0 Comments
    SELECT CASE WHEN version = '1.6.8.1' THEN 'OMI is Updated' ELSE 'Update OMI to 1.6.8.1' END AS OMIGODVersionCheck, name, version, release, source, sha1, arch FROM rpm_packages WHERE name = 'omi' UNION ALL SELECT CASE ...

  • Retrieve Folder Size

    Connor Rosenthal
    • Files
    • Approved on
    • 1 Comment
    I know you can get data back from files but is there a way to modify the OSQuery to get folder or directory information. Wanter to get Desktop and Document size. and convert if possible to MB.

  • FORCEDENTRY Big Sur 11.6 Version Check

    Jainidhya Rajpal
    • Threat Hunting
    • Under Review on
    • 0 Comments
    SELECT CASE WHEN version = '11.6' THEN 'Not Vulnerable to FORCEDENTRY' ELSE 'Vulnerable | Upgrade to 11.6' END AS BigSurCheck FROM os_version WHERE major = '11'

  • FORCEDENTRY Safari Check (CATALINA & MOJAVE)

    Jainidhya Rajpal
    • Threat Hunting
    • Under Review on
    • 0 Comments
    SELECT CASE WHEN bundle_short_version = '14.1.2' THEN 'PATCHED' ELSE 'Vulnerable to FORCEDENTRY' END AS VulnCheck FROM apps WHERE name = 'Safari.app'
Unfiltered HTML