Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • EDR Query - Kaseya ransomware IOC's

    RaviSoni
    • Threat Hunting
    • Approved on
    • 0 Comments
    SophosLabs has published the IOC for Kaseya ransomware. Below is the query that fetches the IOC published on GitHub and check for matching Indicators present in the endpoint. /* EDR Query to check for matching REvil-Kaseya-IOC's */ --VARIABLE $$StartTime...

  • Printnightmare Hunting Query (Data Lake)

    reg1nleifr
    • Threat Hunting
    • Under Review on
    • 9 Comments
    We've created a hunting query for possible infected cve-2021-1675 Hosts, based on this Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/av_printernightmare_cve_2021_1675.yml The input variable "C:\Windows\System32\spool...

  • PrintNightmare PrintSpooler Service Check

    Jainidhya
    • Threat Hunting
    • Under Review on
    • 0 Comments
    --PrintNightMare Print Spooler Service Check SELECT display_name, status, start_type, user_account, CASE WHEN status = 'RUNNING' THEN ' Exposed to unpatched vulnerabilities inc. PrintNightmare' WHEN status ='STOPPED' THEN ' NOT exposed to unpatched...

  • Find machines with running Print Spooler service, or that could be

    j0hnV
    • Device
    • Approved on
    • 1 Comment
    SELECT name, display_name, start_type, path, status, user_account, CASE WHEN status = 'RUNNING' THEN 'Stop service to end exposure to unpatched vulnerabilities inc. Print Nightmare' END AS SpoolerCheck, CASE WHEN start_type != 'Disabled' THEN 'Set Spooler...

  • Find Endpoints with Outdated/Updated Software Installed

    Jainidhya
    • Device
    • Approved on
    • 0 Comments
    Below Queries will need a CSV file consisting of a List of Installed Software Example URL - https://raw.githubusercontent.com/jainidhya/CSV/main/program_list_sample1.csv 1) Query to get Updated/Outdated Software details from Remote(Github,Website...

  • Compliance query to report on uptime, last date of a Windows OS patch installation and any pending restart requests

    AndrewMundell
    • Compliance
    • Approved on
    • 0 Comments
    Hi there, we've combined the data from a few queries to present an all-in-one view of devices which need to be rebooted by returning the total uptime, the last time a Microsoft patch was installed, and if there are any pending restart requests. ...

  • Query Sophos Agent Needing Reboot

    JeramyKopacko
    • Device
    • Approved on
    • 0 Comments
    This query will search for reg keys that indicate your Sophos agent requires a reboot to complete installation/updates and the date it was flagged to be rebooted WITH rebootRequired AS (SELECT CASE WHEN data LIKE '1' THEN 'Yes' ELSE 'No' END...

  • Show computer where exist specific file

    Luc_GLLM
    • Files
    • Complete on
    • 1 Comment
    hi all, I wanted to ask you if it is possible to make a query to show all computers where there is (or where there is not) a specific file. Thank you

  • Live Discover Query to see the versions of any software installed on macOS

    JAIRO VALERIO ALFARO
    • Device
    • Approved on
    • 5 Comments
    Hello Sophos Team, I wanted a live discovery query that would retrieve the version of any software installed on macOS machines in my environment, as well as the hostname / IP of the machines. The purpose of this query is to verify and patch all programs...

  • Data Lake: Threat Indicators

    Kevin Kingston
    • Data Lake
    • Approved on
    • 2 Comments
    Similar to the Threat Indicators report in Central today, this query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment with the added benefit that customers can fine tune...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner