Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Data Lake: Show network activity for defined Sophos Process ID

    Kevin Kingston
    • Data Lake
    • Approved on
    • 0 Comments
    This query will detail network activity for a defined Sophos Process ID -- Data Lake show network activity for defined Sophos Process ID -- VARIABLE $$sophos_pid$$, SophosPID WITH split_pids AS ( SELECT x2.new_pid, x1.* FROM xdr_data...

  • Hunting in the Data lake then pivoting to the device for details

    Karl_Ackerman
    • Data Lake
    • Approved on
    • 0 Comments
    So with this query you can see MITRE ATT&CK classifications for a few hundred TTPs /**************************************************************************\ | This query was derived from examination of the CALDERA, Atomic RedTeam | | and other...

  • Live Discover MITRE ATT&CK Classification and Hunting

    Karl_Ackerman
    • ATT&CK
    • Approved on
    • 0 Comments
    Hi folks an experimental query to perform MITRE ATT&CK classifications with data from an external repository (GIT) While we build out the backend to allow us to run with thousands of classification heuristics and richer more complex machine learning...

  • Live discover: How to check Windows updates Available or not installed

    Team Management Infrastructure Clients
    • Device
    • Approved on
    • 6 Comments
    Hi friends, I've been trying create a query about how display all patches or windows updates available from a server. I tried this, but doesn't work: SELECT meta_hostname AS ep_name, hotfix_id, caption, description, FROM xdr_data WHERE query_name...

  • Query SNTP Logs On A Specific Date

    JeramyKopacko
    • Network
    • Approved on
    • 0 Comments
    It may be valuable to view the parsed logs from your Sophos Network Threat Protection engine. Here you can see the time stamps, PID, program and URL accessed. --Declare YYYY-MM-DD as a string variable WITH sntp_table AS (SELECT * FROM grep WHERE...

  • Query IPS (snort) Rules on Endpoint

    JeramyKopacko
    • Other queries
    • Approved on
    • 0 Comments
    Many thanks to Karl_Ackerman for the assist on completing this query. It may be valuable to discover what rule sets are currently deployed to your snort (IPS) engine. WITH ips_rule_table AS (SELECT * FROM grep WHERE path = 'C:\ProgramData\Sophos\Sophos...

  • "Looping" through list in Live Query

    Kyle Parrish
    • Files
    • Complete on
    • 8 Comments
    Good afternoon! I am working on a query where I would like to essentially perform a "For Each Loop" on the results. I am not sure what the SQL equivalent is. Can someone assist me and/or direct me to the proper syntax? Based on the following query...

  • Email notification for scheduled queries

    Fabrice B
    • Email
    • Complete on
    • 4 Comments
    Hello all, Would like to know if it is possible to get results from scheduled queries directly per mail? I don't know if this feature exists but I wasn't able to find it out, hope this feature already exists, if not is there any roadmap or deadline...

  • Query for "Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability"

    RaviSoni
    • Threat Hunting
    • Approved on
    • 0 Comments
    Cisco Security has recently updated (21 May 2021) the information about this vulnerability. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK The query performs the checks if the endpoint is affected...

  • Follow-up Windows updates patch (Data Lake)

    Fabrice B
    • Data Lake
    • Approved on
    • 4 Comments
    Hi, As many of you, I would like to list all machines that are out of date concerning "windows updates patch" (KBxxxxx), I know it is a tricky one after reading lots of idea submissions in this community ;-) That's why my 1st goal would be to get...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner