• Querying DNS data with Live Discover

    RichBaldry
    RichBaldry
    One of the most common comments from EAP participants so far has been about the lack of visibility of DNS traffic data. The EAP refresh release coming in a week or two will help a lot with that, but in the meantime I thought I'd provide some examples…
    • over 1 year ago
    • Sophos DNS Protection (EAP) (Read - Only)
    • Recommended Reads
  • [QueryCorner][October2023] Reviewing NSA and CISA Top 10 Misconfigurations

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Table of Contents Background 1) Default Configurations…
    • over 1 year ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][June2023] Sophos Endpoint/Server - Auditing for Azure Code Signing Support

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose Microsoft announced a requirement for Azure Code Signing…
    • over 1 year ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][March2023] Deep Diving into OneNote Attacks

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Index Purpose Prerequisites Query #1 - Live Discover - Check…
    • over 1 year ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][January2023] Live Discover - Network: Processes with an open network connection

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose If you have not traversed the XDR journals, please review…
    • over 1 year ago
    • Sophos Endpoint
    • Recommended Reads
  • [Sophos Firewall / Data Lake] Identify Attempts to Access Firewall by Country

    Matthew Ritchie
    Matthew Ritchie
    SELECT device_model, --device_serial_id, --app_name AS ProtoPort, --in_interface,-- --src_mac,-- src_ip, dst_ip, src_country, log_type AS Source_Log, log_subtype AS Decision, src_port, dst_port --protocol-- FROM xgfw_data …
    • over 2 years ago
    • Sophos Endpoint
    • Network
  • [QueryCorner][October2022] Audit Application Control

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose Sophos Endpoint and Server products all come equipped with…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][October2022] Audit Peripheral Control

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose Sophos Endpoint and Server products all come equipped with…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][October2022] Deep Diving into Windows Firewall

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose The Windows Firewall is a security component to help protect…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][September2022] Live Discover - Program Execution Evidence

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose This query is taken directly from the Sophos Rapid Response…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][August2022] Deep Diving Into RDP

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose Often, Remote Desktop Protocol (RDP) sessions are used…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][August2022] Live Discover - IOC Hunting

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose Let's revisit a query written by Kyle Seike - post can…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][July2022] Windows PCI Audit Report

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose This query is designed to give you information required…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][July2022] Live Discover Device Card - MacOS

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose This query is designed to give you a "Total Report" of…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][June2022] Deep Diving Into Reboots

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose Rebooting a computer can be a delicate situation. It can…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • [QueryCorner][May2022] Audit User and Group Activity

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Purpose Our first post in the Query Corner is going to target User…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • Getting Started With Sophos Live Discover Design Mode

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Overview This post is going to cover setting up a user created…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • Query Corner Announcement and Master Index

    JeramyKopacko
    JeramyKopacko
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Overview Here at Sophos, we launched EDR into the endpoint platform…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • Outbound SMB Traffic

    Albert Straniti
    Albert Straniti
    I am trying to determine what process is generating outbound SMB traffic on a system. I can see the traffic in the firewall logs, but when I use the query below, nothing comes up. It doesn't matter which system I check, or whether I use port 137 or 445…
    • over 2 years ago
    • Sophos Endpoint
    • Network
  • Live Discover: Query Cancelled: E Process SophosOsqueryExtension.exe exceeded 30% CPU limit

    LHerzog
    LHerzog
    Hi, I need this Live Response quickly, unfortunately Sophos Intercept X is aborting the Query. What is this and how do I get to my data? I just want to use that product with a default query! 2022-03-31T14:29:22.937Z [ 9644: 8204] E Process SophosOsqueryExtension…
    • over 2 years ago
    • Sophos Endpoint
    • Discussions
  • Sophos Live Discover Query for CISA Alert (AA21-1481)-Sophisticated Spearphishing Campaign-Cobalt Strike

    Kyle Seike
    Kyle Seike
    Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. A recent inquiry from a Sophos Customer indicated that they wanted…
    • over 2 years ago
    • Sophos Endpoint
    • Recommended Reads
  • Windows Update Query

    Sophos User5832
    Sophos User5832
    Hello - Does anyone have a query they have used to see if Windows Update is running on an endpoint?
    • over 2 years ago
    • Sophos Endpoint
    • Discussions
  • Where can we get help for XDR Queries?

    LHerzog
    LHerzog
    Hi, it there a better place for discussing about Live or Data Lake Queries than the " Live Discover & Response Query Forum "? There is not much resoponse there. Or should I contact support for special questions? Regards
    • over 2 years ago
    • Sophos Endpoint
    • Discussions
  • Datalake Performance Issues

    TomHilton
    TomHilton
    Hi, Does anyone else have issues with Datalake queries just timing out? It's been pretty unusable for us every since we turned on the function. We have around 15,000 endpoints on our Central environment so I wonder if it's just down to the sheer volume…
    • over 2 years ago
    • Sophos Endpoint
    • Discussions
  • Windows Servers: Live discover and MTR not working. MCS Client: W (async) connection timeout, W [push]: error creating async stream: 0

    LHerzog
    LHerzog
    MTR team wrote us that some of our servers cannot be managed by them. This maybe in relation with this thread But here is no 503 error in MCSClient.log and the client is green for MCS communication There has been an other thread here also with…
    • over 2 years ago
    • Sophos Endpoint
    • Discussions
>