Guest User!

You are not Sophos Staff.

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Compare IP activity to Remote List of IOC IP addresses

    Spencer_Brown
    • Under Review on
    • 0 Comments
    Utilizing a post from Karl_Ackerman and the precanned queries in Sophos Central, here is a query that can pull down a remote csv table, and join it to the sophos_ip_journal. It takes one variable: URL -- String -- $$URL$$ In this use case, I took...

  • Yara rules not returning results

    Chris Smith4
    • Under Review on
    • 0 Comments
    Cannot get results back from online rules (based on this https://community.sophos.com/intercept-x-endpoint/b/blog/posts/yara-scanning-rules-with-sophos-xdr ) so tried the simplest osquery I could think of: SELECT * FROM yara WHERE path = 'c:\windows...

  • NIX TTP Detector (MITRE ATT&CK)

    Karl_Ackerman
    • Approved on
    • 0 Comments
    Below is a query to classify activity to MITRE for NIX machines (LINUX and MAC). It runs against the data lake The detection risk level has not been tuned, so you will need to edit the query in your environment. /*******************************...

  • FORCEDENTRY Safari Check (CATALINA & MOJAVE)

    Jainidhya Rajpal
    • Under Review on
    • 0 Comments
    SELECT CASE WHEN bundle_short_version = '14.1.2' THEN 'PATCHED' ELSE 'Vulnerable to FORCEDENTRY' END AS VulnCheck FROM apps WHERE name = 'Safari.app'

  • FORCEDENTRY Big Sur 11.6 Version Check

    Jainidhya Rajpal
    • Under Review on
    • 0 Comments
    SELECT CASE WHEN version = '11.6' THEN 'Not Vulnerable to FORCEDENTRY' ELSE 'Vulnerable | Upgrade to 11.6' END AS BigSurCheck FROM os_version WHERE major = '11'

  • T1078 - CVE-2020-1472 - Netlogon

    JeramyKopacko
    • Under Review on
    • 0 Comments
    This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs. This query will search and detect Windows vulnerability affecting the Netlogon feature. Sophos Security Bulletin: https://community.sophos.com...

  • Query - IOC´s From GitHub list

    Rafael Moura
    • Under Review on
    • 2 Comments
    /* Desc: Number of Hours of activity to search / TYPE: String / SQLVAR: $$Number of Hours of activity to search$$ Desc: RAW IOC List location from a URL / TYPE: String / SQLVAR: $$RAW IOC List location from a URL$$ / Value: ... Desc: Start Search From...

  • Detecting IOCs from ACSC 2020-008 The Copy-Paste Compromise Notification

    AzRoN
    • Under Review on
    • 1 Comment
    REVIEWED by Sophos Hello all The Australian Federal Government recently issued a warning to all Australian's that we're under an increasing number of cyber attacks. Although this served as a general wanring to everyone, the Australia Cyber Security...
Unfiltered HTML