Sophos Community

Latest Live Discover and Response Queries (All)

Snowflake Reference Table

digital specz
- Data Lake
- Under Review on 3 Apr 2023
- 0 Comments
How to create a reference table in Snowflake that picks up the column name and the column value together as a result to be referenced in another SQL Query ?
- 3 Apr 2023 11:36 AM
Scan for Old Sophos Connect Client

Qoosh
- Device
- Under Review on 2 Mar 2023
- 0 Comments
This query will return all devices that don’t have the latest version of the Sophos Connect Client installed. This is a Live Discover Query for Windows devices. SELECT name, version, install_location FROM programs WHERE name like 'Sophos Connect' and...
- 2 Mar 2023 6:42 PM
New to the data lake - Is it possible to get the revision of windows, as well as the build number?

Brian Adgey
- Device
- Complete on 21 Feb 2023
- 1 Comment
Hi, im just wondering if the revision of a windows machine is also uploaded to the datalake. I have had a look at the schema and i cannot see it contained within it. If it its not in the datalake, can it be live queried from a machine?
- 31 Jan 2023 3:46 PM
Browser History

Parag Shukla
- Device
- Complete on 27 Feb 2023
- 1 Comment
Hi Team, For the hunting purpose is it possible can we get browser history from the end user's system. If someone knows about related osquesry please share. I was trying with SELECT * FROM chrome_history LIMIT 10 ; but no luck.
- 10 Jan 2023 1:25 PM
Query Deployed Integrations

Qoosh
- Other queries
- Approved on 21 Feb 2023
- 0 Comments
This query will list all deployed MDR Integrations. SELECT sensor_type Integration_Category, sensor_vendor Vendor, COUNT(*) Records, CAST(CAST(SUM(upload_size)/1024.0 AS DECIMAL(10,2)) AS VARCHAR)||'KB' Data_uploaded, CAST(DATE_DIFF('hour...
- 7 Dec 2022 2:57 AM
[Datalake] Domain Admin Logins

rfrutiger
- User
- Under Review on 2 Nov 2022
- 0 Comments
I'm wanting to create a query against the datalake that would report logins by users in the Domain Admins active directory group. I have seen examples for locating local admins, but I haven't seen any information on getting information about domain admin...
- 2 Nov 2022 5:00 PM
[Sophos Firewall / Data Lake] Identify Attempts to Access Firewall by Country

Matthew Ritchie
- Network
- Under Review on 18 Oct 2022
- 1 Comment
SELECT device_model, --device_serial_id, --app_name AS ProtoPort, --in_interface,-- --src_mac,-- src_ip, dst_ip, src_country, log_type AS Source_Log, log_subtype AS Decision, src_port, dst_port --protocol-- FROM xgfw_data ...
- 18 Oct 2022 7:47 PM
mismatched input

ekrem19
- User
- Complete on 14 Oct 2022
- 4 Comments
Hi, I run the following query and had an error. I got the query from GitHub. https://github.com/Sophos-Community/XDR_Queries/commit/80a062e25426c9879b4b238cf889e93088e2e41f What could be wrong? Invalid sql: SELECT source, eventid, CAST(datetime...
- 13 Oct 2022 11:31 PM
Live Discover query to check installed Internet Explorer

gb-hg
- Device
- Complete on 7 Oct 2022
- 1 Comment
Hello all, I would be very interested if someone has a ready-made query to check an installed Internet Explorer on Windows clients/server? C:\Program Files\Internet Explorer\iexplore.exe Many thanks for your support!
- 7 Oct 2022 1:22 PM
Using Live Discover to determine TPM enabled devices

Tenchima
- Device
- Complete on 7 Oct 2022
- 3 Comments
Does anyone know of a SQL Query format in the Designer Mode in Live Discover that will allow me to query all Windows devices to determine which online systems have a TPM module? Thanks. -Andy
- 25 Aug 2022 10:31 PM

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Snowflake Reference Table

Scan for Old Sophos Connect Client

New to the data lake - Is it possible to get the revision of windows, as well as the build number?

Browser History

Query Deployed Integrations

[Datalake] Domain Admin Logins

[Sophos Firewall / Data Lake] Identify Attempts to Access Firewall by Country

mismatched input

Live Discover query to check installed Internet Explorer

Using Live Discover to determine TPM enabled devices

Submitted a Tech Support Case lately from the Support Portal?