Hello! How can I use the Live Discover query called "File attributes and metadata" to locate a file that might be stored at any place on a computer, or at different places on different computers? This article on Sophos.com got me to thinking. They suggest…

Posted this for easier access as I am sharing it with another community user who looked for this functionality: SELECT DISTINCT eventid, CASE eventid WHEN '41' THEN 'Rebooted without clean shutdown' WHEN '1074' THEN 'Shutdown properly by user…

SELECT CASE WHEN version = '1.6.8.1' THEN 'OMI is Updated' ELSE 'Update OMI to 1.6.8.1' END AS OMIGODVersionCheck, name, version, release, source, sha1, arch FROM rpm_packages WHERE name = 'omi' UNION ALL SELECT CASE …

I know you can get data back from files but is there a way to modify the OSQuery to get folder or directory information. Wanter to get Desktop and Document size. and convert if possible to MB.

SELECT CASE WHEN version = '11.6' THEN 'Not Vulnerable to FORCEDENTRY' ELSE 'Vulnerable | Upgrade to 11.6' END AS BigSurCheck FROM os_version WHERE major = '11'

SELECT CASE WHEN bundle_short_version = '14.1.2' THEN 'PATCHED' ELSE 'Vulnerable to FORCEDENTRY' END AS VulnCheck FROM apps WHERE name = 'Safari.app'

/* Desc: Number of Hours of activity to search / TYPE: String / SQLVAR: $$Number of Hours of activity to search$$ Desc: RAW IOC List location from a URL / TYPE: String / SQLVAR: $$RAW IOC List location from a URL$$ / Value: ... Desc: Start Search From…

This query is leveraged in our recommended read to assist in auditing unsupported software. Credit to Jainidhya for assembling this little beauty. Set variable as $$Version$$ with type 'string' and another variable as $$Name$$ with type 'string' Once…

This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs. This query will search and detect Windows vulnerability affecting the Netlogon feature. Sophos Security Bulletin: https://community.sophos.com…

Hi, I created this query to check which of our systems are effected by serious SAM vulnerability. When I fire the query I not receive any data back. Does someone know what I did wrong? SELECT * FROM ntfs_acl_permissions WHERE path like 'C:\Windows…

The Live Discover query below, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable…

Hello, I am not sure if I am in the right place here. We need a query who changed an Active Directory object. E.g. who disabled or enabled a computer in AD. There are queries for user objects but I haven't found any for computer objects. Can…

This query will search your endpoints for the following CVEs and their currently released patches: 2021-1675, 2021-34527, and 2021-34481. As of writing this, CVE-2021-34481 is considered still vulnerable and the recommended fix is to disable the print…

Hunting Query we've used for detecting suspicious processes exploiting the SeriousSAM Vulnerability. Depending on your environment you might see plenty false positives. A good idea might be to add valid processes to the query based on the sha256 value…

This query will parse the Web Intelligence log files and display the URL's that users have visited or have attempted to visit, Category of the URL, Action was taken etc. This gives a rough idea of what users have visited on a specific date. Declare…

It may be useful to see what specific PID, program, syntax, etc and its threat scoring that has interacted with a specific IP. This is the final query from the Getting Started Recommended Read shared recently. ## DEFINE $$IPaddress$$ as IPaddress …

Similar to the Data Lake Query (which seems to be having issues since it's not detecting all dll files in all folders) we've also created a Live-Discovery Query for Windows Systems on the Printnightmare Vulnerability. The Query could be scheduled via…