Guest User!

You are not Sophos Staff.

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Live Discover Query - Location

    jak
    • Approved on
    • 2 Comments
    REVIEWED by Sophos This might be a little out there but you could look to locate all devices in the same physical location or had been in the same physical location or gather some data to locate a device should it be stolen. Windows maintains a list...

  • Live Discover Query - General IT queries

    bazcurtis
    • Approved on
    • 3 Comments
    Hi, I have been looking at Live Discover and like the look of it. I am not an expert in Threat Hunting, but I was hoping I could use Live Discover to help me with my day to day IT tasks. I was thinking along the lines of the following. Machine is...

  • Live Discover Query - CPU Usage (Weighted)

    AndyM
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...

  • Simple query to audit Microsoft RDP enablement status (from registry)

    AndrewMundell
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Just a quick query to audit the state of MS RDP via the registry, uncomment (remove the 2 leading '--' from the last line) to return only machines where RDP is enabled. SELECT CASE WHEN data = 0 then 'RDP Enabled' WHEN data...
Unfiltered HTML