Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • How can I adjust this query so that it uses a list of items instead of just one file?

    Brian Dake
    • Files
    • Approved on
    • 2 Comments
    I assume that searching for a list of files at once would be faster than searching for each file individually. So, how can I adjust this query so that it uses a list of items instead of just one file? --- Descriptive name Variable type SQL Variable...

  • List top threat indicators for Windows

    Karl_Ackerman
    • Threat Hunting
    • Approved on
    • 1 Comment
    This query evaluates the machine learning and reputation scores to provide a list of the most suspect executables observed in the environment. Descriptive name Variable Type Notes Begin Search on date $$Begin Search on date$...

  • Generic Network activity search (Windows)

    Karl_Ackerman
    • Device
    • Approved on
    • 0 Comments
    This query provides a generic search for IP address and port information Descriptive name Variable Type Notes Begin Search on date $$Begin Search on date$$ DATE Provide a start date for the search Hours to Search $$Hours...

  • Generic Process Search on Windows

    Karl_Ackerman
    • Processes
    • Approved on
    • 0 Comments
    Hi folks, Sophos already published a canned query for 'Search for processes (Windows)', and while that one is really useful I had some asks for a different approach that allowed for larger time windows in the search and some different parameters. ...

  • Login Failed attempts Query For WINDOWS

    Danish
    • Events
    • Complete on
    • 2 Comments
    Hello Sophos Community, Ive been trying to find login failed attempts query for my threat hunting environment. I have search from github but no findings . Can anyone share with me the query please .

  • File information for file deleted by Sophos A/V

    Jeremy Lloyd1
    • Files
    • Approved on
    • 6 Comments
    Hi I cannot find a table which lists files that have been deleted by the A/V scan due to detected malware. I'm trying to find the file's date time stamp and file size. I've tried the sophos_file_journal table but it doesn't include the files that...

  • Queries from the March SophSkills presentation

    Karl_Ackerman
    • Queries
    • Approved on
    • 1 Comment
    Video: https://vimeo.com/519661823 Queries used: Queries used during SophSkills Demo DATA LAKE - List all EP and FW tables in the data lake This query will need to run against the data lake. As we add more sensors to the data lake we will be extending...

  • HAFNIUM targeting Exchange Servers with 0-day exploits

    RaviSoni
    • Threat Hunting
    • Under Review on
    • 0 Comments
    This query will perform a scan to check the WebShall present in the machine, One of the IOC technique released by Microsoft. WITH HOST_IOC AS ( WITH IOC_LIST (IOC_Type, Indicator) AS ( VALUES ('filepath','C:\inetpub\wwwroot\aspnet_client\%.aspx...

  • RDP Enrichment with AbuseIPDB Data

    Kris Wayman
    • Events
    • Approved on
    • 0 Comments
    This is a great query to start enriching RDP telemetry from your environment. You will need to sign up for an account with AbuseIPDB ( https://www.abuseipdb.com/ ) and generate an API key to call in the query below. -- YOU NEED TO EDIT THIS AND ADD...

  • Threat Hunting - Powershell Script Blocks

    AndyM
    • Processes
    • Approved on
    • 0 Comments
    With the Sophos process journals you can see loads of information about the execution of processes as well as their command lines, but you cannot see the session data used directly in powershell, since it is running within the same process. Thankfully...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner