Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Adobe Vulnerability - CVE-2021-28550

    Patrick Moubarak
    • Threat Hunting
    • Under Review on
    • 1 Comment
    EDR query to identify the endpoints affected by the Adobe vulnerability CVE-2021-28550 Adobe Security Bullitin: https://helpx.adobe.com/security/products/acrobat/apsb21-29.html Windows: SELECT CASE WHEN ( (SELECT 1 FROM programs WHERE name LIKE...

  • Query A Specific File Path for Items and Compare File Scoring

    JeramyKopacko
    • Files
    • Approved on
    • 0 Comments
    ## Use descriptive name “filepath” as variableType “File Path” SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime') AS Last_Accessed, datetime(f...

  • Query EXEs in Suspicious Location & Compare Scoring

    JeramyKopacko
    • Threat Hunting
    • Approved on
    • 0 Comments
    This will use the Sophos File Journal to compare ML, PUA, Local and Global Scoring in suspicious locations SELECT sfp.sha256, sfp.mlScore, sfp.puaScore, sfp.globalRep, sfp.localRep, f.path, f.filename, datetime(f.atime,'unixepoch','localtime...

  • Query Powershell Version

    JeramyKopacko
    • Device
    • Approved on
    • 0 Comments
    This will query and return your PS versions SELECT name, type, key, data, CASE WHEN data LIKE '1.%' THEN 'PS Version 1' WHEN data LIKE '2.%' THEN 'PS Version 2' WHEN data LIKE '3.%' THEN 'PS Version 3' WHEN data LIKE '4.%' THEN 'PS Version 4' WHEN data...

  • Query SMB Version As Case Statement

    JeramyKopacko
    • Device
    • Approved on
    • 0 Comments
    This will return all devices with SMB v1, 2, or 3 set SELECT name, type, key, data, CASE WHEN (name = 'SMB1' AND data = 1) THEN 'SMB Version 1' WHEN (name = 'SMB2' AND data = 1) THEN 'SMB Version 2' WHEN (name = 'SMB3' AND data = 1) THEN 'SMB Version...

  • Load a local CSV file or Remote CSV File as a virtual table

    Karl_Ackerman
    • Query Tips
    • Under Review on
    • 0 Comments
    You can supply a file path or URL location where a CSV File is located and it will load it into a virtual table for use with the query. Watch the Video then play with the query. https://vimeo.com/545619419 -- LOAD CSV from GIT LOCATION -- VARIABLE...

  • Dell vulnerability - CVE-2021-21551.

    RaviSoni
    • Threat Hunting
    • Approved on
    • 0 Comments
    EDR query can identify the endpoints if they are affected by dell vulnerability CVE-2021-21551. https://nakedsecurity.sophos.com/2021/05/05/dell-fixes-exploitable-holes-its-own-firmware-update-driver-patch-now/ -- Check if the dbutil_2_3.sys file...

  • Find traffic for destination port

    j0hnV
    • Network
    • Approved on
    • 1 Comment
    Variables DestinationPort and DaysToLookBack SELECT strftime('%Y-%m-%dT%H:%M:%SZ', datetime(snj.time,'unixepoch')) dateTime, u.username userName, snj.sophosPID, spj.processName processName, CAST(spj.cmdline AS TEXT) cmdLine, snj.source, snj.sourcePort...

  • Windows PCs inventory asset discovery info

    Diego Tavolari
    • Device
    • Approved on
    • 4 Comments
    Hi, I've been working on this for a few days. I know there are a few of these already on the forum, but thought I'd share in case anybody found this one useful. SELECT /*User section*/ logged_in_users.user User_Name, /*System Info*/ system_info.cpu_brand...

  • Examine for a specific driver vendor type and version

    Gerald Szakal1
    • Device
    • Approved on
    • 3 Comments
    Given the recent news about Nvidia GPU driver kernel escalation bugs, I would like to know if it is possible to search for drivers with the following; Use a variable to examine for a single driver like nvidia. report the version of the driver. ...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner