Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Query for Applications that Auto Start

    JeramyKopacko
    • Device
    • Approved on
    • 2 Comments
    SELECT name as 'Key Name', source as 'Start Up source', path as 'Path', args as 'Aruments', username as 'Owner', status as 'Status' FROM startup_items ORDER by status This may be used to identify persistence or unidentified startup items

  • Query Trusted Root Certs

    JeramyKopacko
    • Device
    • Approved on
    • 0 Comments
    SELECT common_name, issuer, strftime('%d/%m/%Y', datetime(not_valid_after, 'unixepoch')) as expiration_date FROM certificates WHERE path = 'CurrentUser\Trusted Root Certification Authorities' ORDER BY common_name You can break this query down further...

  • Live Discovery - Need help to get current IP address

    Diego Tavolari
    • Network
    • Approved on
    • 5 Comments
    Hi, need some help on creating a query that will show me the current IP address the machine is connecting from. Is there any nice easy way of doing this? I've tried with: interface_addresses.address Network_IP, But that returns the IP for all existing...

  • Add username to Windows Programs query

    Inactive MUZ
    • Device
    • Approved on
    • 1 Comment
    Hello everyone, I need help with a simple query as I'm not well versed in SQL. Basically this is the query: SELECT name, version, install_location, install_source, publisher, install_date, identifying_number FROM programs Where name LIKE '%CAD%' ...

  • Application Inventory Query

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    I thought I had already published this one and if I can't find it I suspect others have that same challenge. This was from one of the videos to show how the data lake can go broad and the devices dive deep. -- Application Inventory across all devices...

  • Search subfolders for a specific filename or extension.

    Genc Kelmendi
    • Files
    • Approved on
    • 1 Comment
    Useful query to search entire subfolders for a specific extension or a filename. Supports wildcards in path and filename. SELECT path, directory, filename, device, size FROM file WHERE directory LIKE 'C:\users\%\desktop%%' AND filename LIKE '%%.exe...

  • Finding the Sophos Machine ID

    AndyM
    • Device
    • Approved on
    • 2 Comments
    Each device managed by Sophos has a unique machineID. This is created at the time of installation. There are some scenarios where it's useful to be able to search for a unique machineID, or a collection of them. -- Name: List Sophos Machine IDs ...

  • ASCII FILE Reader, HEX Dump, STRINGS Search for Binary and MORE

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    With XDR we are adding a pair of new Sophos extensions GREP and HEX_TO_INT both of these come in handy when you want to read a file and show the contents as the result of a query. ASCII DUMP -- Perform an ASCII DUMP for a file -- VARIABLE ...

  • Hafnium check

    Karl_Ackerman
    • Threat Hunting
    • Approved on
    • 1 Comment
    WE have a number of queries for hafnium and additional news articles. Check out the news https://news.sophos.com/en-us/2021/03/05/hafnium-advice-about-the-new-nation-state-attack/ See the video on how to take the query from the article and run it...

  • Excluding Hashes from various scans

    Gerald Szakal1
    • Files
    • Approved on
    • 3 Comments
    Hello all I am running a number of scans including but not limited to "Unsigned applications that were run" which I believe I got from this site. I find the results to be extremely "busy" with so many pages it is almost unusable (155). I am looking...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner