Guest User!

You are not Sophos Staff.

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • OMIGOD Vulnerability | OMI version check

    Jainidhya Rajpal
    • Approved on
    • 0 Comments
    SELECT CASE WHEN version = '1.6.8.1' THEN 'OMI is Updated' ELSE 'Update OMI to 1.6.8.1' END AS OMIGODVersionCheck, name, version, release, source, sha1, arch FROM rpm_packages WHERE name = 'omi' UNION ALL SELECT CASE ...

  • Live Discover Query - Virtual Devices

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Depending on the role of the user or device it might be worth exploring those computers that are running a virtual machine. This could be a computer on the network you don't have any visibility or control over that is being used by...

  • Live Discover Query - Show the % free disk space

    Karl Ackerman
    • Approved on
    • 3 Comments
    REVIEWED by Sophos Often when a user complains about a device being slow or having problems the first thing to check is how much free disk space does the device have. You can use this to monitor the devices under management to determine if you should...

  • Live Discover Query - Minimum hardware check

    jak
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Given the advice in article 121027 regarding recommended hardware specifications. For example, Intercept X Advanced with EDR and MTR is: Disk space: 8 GB free RAM: 4 GB Cores: 2 The following query could be used to identify...

  • BitLocker Status

    MichaelCurtis
    • Approved on
    • 0 Comments
    REVIEWED by Sophos A query that will return the BitLocker status of an Endpoint SELECT device_id,drive_letter,percentage_encrypted, encryption_method, version, persistent_volume_id, CASE conversion_status WHEN 1 THEN 'Fully Encrypted' WHEN 2 THEN...

  • Add username to Windows Programs query

    Inactive MUZ
    • Approved on
    • 1 Comment
    Hello everyone, I need help with a simple query as I'm not well versed in SQL. Basically this is the query: SELECT name, version, install_location, install_source, publisher, install_date, identifying_number FROM programs Where name LIKE '%CAD%' ...

  • Find Domain Controllers

    j0hnV
    • Approved on
    • 0 Comments
    REVIEWED by Sophos SELECT os_version.name os_name, services.name, services.display_name, services.start_type, services.path, services.status, services.user_account FROM services JOIN os_version WHERE services.name = 'NTDS' To only find machines...

  • Check the Flaw in AMD Platform Security Processor, CVE-2021-26333

    RaviSoni
    • Approved on
    • 0 Comments
    The below query checks for the Flaw in the AMD PSP, CVE-2021-26333 if the system is vulnerable or not and print the appropriate message. -- Check the Flaw in AMD Platform Security Processor, CVE-2021-26333 SELECT CASE WHEN (SELECT 1 FROM cpu_info...

  • Check if certificates are about to expire in the next N days

    Karl_Ackerman
    • Approved on
    • 0 Comments
    REVIEWED by Sophos This query checks the certificates table and calculates if any certificates are going to be expiring in the next N days. If you are like me you have a story of when the business was impacted by some certificate expiring on a product...

  • Live discover: How to check Windows updates Available or not installed

    Team Management Infrastructure Clients
    • Approved on
    • 6 Comments
    Hi friends, I've been trying create a query about how display all patches or windows updates available from a server. I tried this, but doesn't work: SELECT meta_hostname AS ep_name, hotfix_id, caption, description, FROM xdr_data WHERE query_name...

  • Application Whitelist

    Sylvain_Roy
    • Approved on
    • 0 Comments
    Combined the idea of loading a CSV from a local file: https://community.sophos.com/intercept-x-endpoint/i/query-tips/load-a-local-csv-file-or-remote-csv-file-as-a-virtual-table to compare a list of applications against installed applications, as a...

  • List Installed Deb Packages on Debian/Ubuntu Linux Serve

    benjm
    • Approved on
    • 0 Comments
    SELECT name "Package name", version "Package version", source "Package source", size "Package size in bytes", arch "Package architecture", revision "Package revision" FROM deb_packages

  • Verify if an endpoint agent is on the new SDDS3 update mechanism

    Sylvain_Roy
    • Approved on
    • 1 Comment
    This query will verify if the Sophos Endpoint Agent is on the new SDDS3 update mechanism. https://support.sophos.com/support/s/article/KB-000043550?language=en_US SDDSStatus will indicate if the endpoint is on SDDS2 or SDDS3. An SDDS3Ready status...

  • Live Discover Query to see the versions of any software installed on macOS

    JAIRO VALERIO ALFARO
    • Approved on
    • 5 Comments
    Hello Sophos Team, I wanted a live discovery query that would retrieve the version of any software installed on macOS machines in my environment, as well as the hostname / IP of the machines. The purpose of this query is to verify and patch all programs...

  • Examine for a specific driver vendor type and version

    Gerald Szakal1
    • Approved on
    • 3 Comments
    Given the recent news about Nvidia GPU driver kernel escalation bugs, I would like to know if it is possible to search for drivers with the following; Use a variable to examine for a single driver like nvidia. report the version of the driver. ...

  • Find machines with running Print Spooler service, or that could be

    j0hnV
    • Approved on
    • 1 Comment
    SELECT name, display_name, start_type, path, status, user_account, CASE WHEN status = 'RUNNING' THEN 'Stop service to end exposure to unpatched vulnerabilities inc. Print Nightmare' END AS SpoolerCheck, CASE WHEN start_type != 'Disabled' THEN 'Set Spooler...

  • Query to collect Serial Numbers of computers

    Christian Jake A Garduque
    • Approved on
    • 2 Comments
    Can someone help me. I need collect serial numbers of computers with sophos agent installed.

  • Check version of Notepad++ installed vs latest available

    AndrewMundell
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Followup to the Firefox query, repeating the process for Notepad++. SQL published at https://gist.github.com/andrewmundellsophos/17ea7cd7614fc61c3046e64586c4186b and pasted below: --Tested and working as of 2020-07...

  • Check for conflicting windows security software

    j0hnV
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Customers confronted with unexplainable red statusses and installation/update issues were helped by this: ------- select * FROM windows_security_products WHERE name is not 'Windows Firewall' and name is not 'Microsoft Defender...

  • Live Discover Query - BitLocker

    Marcel
    • Approved on
    • 1 Comment
    REVIEWED by Sophos The first query will show for Windows devices if any drive has been encrypted using BitLocker: select drive_letter as "Drive Letter", case protection_status when "1" then "ENABLED" else "DISABLED" end "Protection Status", encryption_method...
Unfiltered HTML