Hi, I am looking for a way to have a query to detect all activity of NetBIOS and IPv6. These two ports need to be disabled on all network devices so I am looking for a query I can run on a monthly basis to confirm these ports are disabled. From...

I am trying to determine what process is generating outbound SMB traffic on a system. I can see the traffic in the firewall logs, but when I use the query below, nothing comes up. It doesn't matter which system I check, or whether I use port 137 or 445...

Cannot get results back from online rules (based on this https://community.sophos.com/intercept-x-endpoint/b/blog/posts/yara-scanning-rules-with-sophos-xdr ) so tried the simplest osquery I could think of: SELECT * FROM yara WHERE path = 'c:\windows...

Hi Team, Here is a Live Discover Query for all DNS requests in a particular time frame from a device. You can use % for all processes or search for a particular process. -- DNS Lookups by Process -- $$Start Time$$ DATE -- $$End Time$$ DATE -- $$Process...

Hello, I would like to know if it is possible to make a query to show devices where there is a specific file in the Data Lake. Thank you

Hello, I would like suggestions regarding how to put together a query to find MD5 hashes. There is a built-in query called Processes matching SHA-256 hashes in the last 30 days (below), but I would like to search for MD5 hashes not SHA-256, since...

When a device is enrolled in Early Access, many of the Sophos service tags for registry keys go from RECOMMENDED to BETA. Upon reviewing the results of this query, if any devices return with "data" : "BETA" - those devices are in the early access program...

I want to see any users or groups that have been added to the Local Administrators group on a PC. Including domain users and groups. I've been looking at this post: https://community.sophos.com/intercept-x-endpoint/i/user/edr-query-to-find-all-local...

Can someone help me. I need collect serial numbers of computers with sophos agent installed.

Hi All, Does anyone know of a way I can query to find the version of Chrome that is installed on an endpoint? Thanks.