Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Threat Hunting - Discovery of Password Policies

    AndyM
    • Threat Hunting
    • Under Review on
    • 0 Comments
    A simple query to look for executions of net.exe that make use of the account switch. These are sometimes used by adversaries to discover the local and domain password policies that are in enforced. -- Account Discovery: Password Policies -- T1201 looking...

  • Threat Hunting - Account Discovery

    AndyM
    • Threat Hunting
    • Approved on
    • 0 Comments
    Here is a simple query that can be used to look for any executions of the net.exe command. These are often used by threat actors and malware alike to discover the username and group memberships of local as well as domain accounts. -- Account Discovery...

  • EDR Query to find all local admins (Windows)

    Jacob Jensen2
    • User
    • Under Review on
    • 17 Comments
    I am searching for a way to query the local Administrators security group on every device in our environment. This seems like something Live Discover is capable of doing, but I haven't been able to figure out the OSQuery syntax to get it done. Right now...

  • Generic Search

    Karl_Ackerman
    • Anomalies
    • Approved on
    • 0 Comments
    One thing everyone wants is a generic search capability. Like what did that user run, or did process x run, or even do I have command lines with https references in them. (Someone clicked on a link) So a quick generic search is described below. Have...

  • MITRE ATT&CK EXFILTRATION Tactic IOC Detection

    Karl_Ackerman
    • ATT&CK
    • Approved on
    • 1 Comment
    Here is a query that looks at process and cmdlines to map to IOCs in the Exfiltration tactic for Mitre -- VARIABLE $$Start Search on Date and Time$$ DATE -- VARIABLE $$Total Hours to search$$ STRING -- Process cmdline IOC search, mapped to MITRE...

  • MITRE ATT&CK IMPACT Tactic IOC Detection

    Karl_Ackerman
    • ATT&CK
    • Approved on
    • 0 Comments
    Experimenting with a simple query to detect IOC's based on process/cmdline analysis. This one below maps the MITRE ATT&CK framework for IMPACT. -- VARIABLES -- Start Search on Date and Time Date -- Total Hours to search STRING -- Detect MITRE...

  • Detecting RED TEAM Activity

    Karl_Ackerman
    • Threat Hunting
    • Approved on
    • 1 Comment
    I suspect for most of us reading these posts, we have had the experience of a RedTeam test. This is where you as a business hire an outside party to perform a penetration test of your organization. They can use lots of different tactics from phishing...

  • Why this query doesn't work?

    Genc Kelmendi
    • Query Tips
    • Under Review on
    • 2 Comments
    What's wrong with this query? Why it doesn't work? I know for a fact that there are files named "VIRUS.exe", and yet live discovery doesn't return any results. SELECT path, directory, filename, device, size FROM file WHERE path LIKE '%VIRUS.exe%' ...

  • IOC Hunt for Solarwinds

    CraigJones
    • Threat Hunting
    • Approved on
    • 1 Comment
    We've released a small hunt query/iocs for the reported solarwinds attacks - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://github.com/sophos-cybersecurity...

  • Process that writes on Shadow Copy space

    GiovanniGiovannelli
    • Processes
    • Approved on
    • 2 Comments
    Any idea for creating a query in order to extract a list of processes that write on Shadow copy space during a specified interval of time? Thank you
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner