Guest User!

You are not Sophos Staff.

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries? See Getting Started In Live Discover - From Beginner to Advanced Query Creation
Make sure to also check out Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.

Note: For more information on Live Discover, please check out our Product Documentation.

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Browse Ideas in Category

  • Detecting IOCs from ACSC 2020-008 The Copy-Paste Compromise Notification

    AzRoN
    • Under Review on
    • 1 Comment
    REVIEWED by Sophos Hello all The Australian Federal Government recently issued a warning to all Australian's that we're under an increasing number of cyber attacks. Although this served as a general wanring to everyone, the Australia Cyber Security...

  • T1078 - CVE-2020-1472 - Netlogon

    JeramyKopacko
    • Under Review on
    • 0 Comments
    This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs. This query will search and detect Windows vulnerability affecting the Netlogon feature. Sophos Security Bulletin: https://community.sophos.com...

  • Query - IOC´s From GitHub list

    Rafael Moura
    • Under Review on
    • 2 Comments
    /* Desc: Number of Hours of activity to search / TYPE: String / SQLVAR: $$Number of Hours of activity to search$$ Desc: RAW IOC List location from a URL / TYPE: String / SQLVAR: $$RAW IOC List location from a URL$$ / Value: ... Desc: Start Search From...

  • Live Discover Query - Vulnerability check for ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

    Karl_Ackerman
    • Approved on
    • 2 Comments
    REVIEWED by Sophos Windows has a zero-day that won’t be patched for weeks Well another day another zero day vulnerability. Today I am looking at how to best create a vulnerability check given information in a CVE and a Microsoft Notification. In this...

  • Live Discover Query - SDBot Malware - RAT

    Jordon Carpenter
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Here is a specific query identifying SDBot Malware used by the TA505 hacking group: SELECT DISTINCT srj.time AS event_timestamp, srj.keyName, srj.value, srj.eventType, srj.sophosPID, srj.valueName, 'REG_BINARY' AS valueType, 'SDBbot...

  • Live Discover Query - Malware persistence

    Guido Denzler
    • Approved on
    • 2 Comments
    REVIEWED by Sophos Below are a few basic queries for pulling back data from places that malware likes to use for persistence. First up Registry Run keys: SELECT r . path , r . name , r . data , REPLACE ( REPLACE ( REPLACE ( REGEX_SPLIT ( r . data...

  • Live Discover Query - That nasty Microsoft DNS bug - SigRED a.k.a CVE-2020-1350

    AzRoN
    • Approved on
    • 1 Comment
    REVIEWED by Sophos As the title says, Microsoft recently advised a of a nasty bug within MS DNS servers. NakedSecurity has a great write up with suggested actions, PATCH NOW. Or implement a work around. https://nakedsecurity.sophos.com/2020/07/15...

  • NIX TTP Detector (MITRE ATT&CK)

    Karl_Ackerman
    • Approved on
    • 0 Comments
    Below is a query to classify activity to MITRE for NIX machines (LINUX and MAC). It runs against the data lake The detection risk level has not been tuned, so you will need to edit the query in your environment. /*******************************...
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?