Sophos Community

Latest Live Discover and Response Queries (All)

Last reboot time (Uptime)

MichaelCurtis
- Data Lake
- Approved on 8 Dec 2021
- 0 Comments
SELECT meta_hostname, MAX(meta_boot_time) AS EPOC, DATE_FORMAT(FROM_UNIXTIME(MAX(meta_boot_time)), '%Y-%m-%dT%H:%i:%SZ') AS Last_Reboot_Time FROM XDR_DATA GROUP BY meta_hostname ORDER BY Last_Reboot_Time ASC This query will report the last reboot date...
- 14 Oct 2021 12:26 PM
Software install count by version

MichaelCurtis
- Data Lake
- Approved on 8 Dec 2021
- 1 Comment
-- Software list temp table WITH software_temp AS ( SELECT DISTINCT name, MAX(version) AS version, meta_hostname FROM xdr_data WHERE query_name = 'windows_programs' Group BY name, meta_hostname ) select name AS Software_Title, version ,COUNT(version)...
- 14 Oct 2021 12:23 PM
Find out of date software

MichaelCurtis
- Data Lake
- Approved on 4 Dec 2021
- 0 Comments
-- Variables -- $$Software_Name$$ - String - Name of out of date software you are looking for -- $$Software_Version$$ - Latest version number. The query will return the software NOT running this version -- Software list temp table WITH software_temp AS...
- 14 Oct 2021 12:20 PM
List of installed software

MichaelCurtis
- Data Lake
- Approved on 3 Dec 2021
- 0 Comments
SELECT meta_hostname AS Hostname, name AS Software_Title, MAX(version) AS Version FROM xdr_data WHERE query_name = 'windows_programs' GROUP BY name, meta_hostname ORDER BY meta_hostname, name This query will list all the software installed on all...
- 14 Oct 2021 12:14 PM
Check the Flaw in AMD Platform Security Processor, CVE-2021-26333

RaviSoni
- Device
- Approved on 25 Feb 2022
- 0 Comments
The below query checks for the Flaw in the AMD PSP, CVE-2021-26333 if the system is vulnerable or not and print the appropriate message. -- Check the Flaw in AMD Platform Security Processor, CVE-2021-26333 SELECT CASE WHEN (SELECT 1 FROM cpu_info...
- 2 Oct 2021 8:27 PM
Show the % free disk space - DATA LAKE

Victor Domingo
- Queries
- Under Review on 17 Sep 2021
- 1 Comment
Please i need the query for Show the % free disk space on DATA LAKE. Its possible???? Thanks
- 17 Sep 2021 12:24 PM
OMIGOD Vulnerability | OMI version check

Jainidhya Rajpal
- Device
- Approved on 17 Sep 2021
- 0 Comments
SELECT CASE WHEN version = '1.6.8.1' THEN 'OMI is Updated' ELSE 'Update OMI to 1.6.8.1' END AS OMIGODVersionCheck, name, version, release, source, sha1, arch FROM rpm_packages WHERE name = 'omi' UNION ALL SELECT CASE ...
- 17 Sep 2021 12:00 PM
Retrieve Folder Size

Connor Rosenthal
- Files
- Approved on 18 May 2022
- 1 Comment
I know you can get data back from files but is there a way to modify the OSQuery to get folder or directory information. Wanter to get Desktop and Document size. and convert if possible to MB.
- 16 Sep 2021 9:54 PM
FORCEDENTRY Big Sur 11.6 Version Check

Jainidhya Rajpal
- Threat Hunting
- Under Review on 14 Sep 2021
- 0 Comments
SELECT CASE WHEN version = '11.6' THEN 'Not Vulnerable to FORCEDENTRY' ELSE 'Vulnerable | Upgrade to 11.6' END AS BigSurCheck FROM os_version WHERE major = '11'
- 14 Sep 2021 8:11 PM
FORCEDENTRY Safari Check (CATALINA & MOJAVE)

Jainidhya Rajpal
- Threat Hunting
- Under Review on 14 Sep 2021
- 0 Comments
SELECT CASE WHEN bundle_short_version = '14.1.2' THEN 'PATCHED' ELSE 'Vulnerable to FORCEDENTRY' END AS VulnCheck FROM apps WHERE name = 'Safari.app'
- 14 Sep 2021 7:31 PM

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

NDR Queries

Last reboot time (Uptime)

Software install count by version

Find out of date software

List of installed software

Check the Flaw in AMD Platform Security Processor, CVE-2021-26333

Show the % free disk space - DATA LAKE

OMIGOD Vulnerability | OMI version check

Retrieve Folder Size

FORCEDENTRY Big Sur 11.6 Version Check

FORCEDENTRY Safari Check (CATALINA & MOJAVE)