Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Process HTTP Calls

    JeramyKopacko
    • Processes
    • Approved on
    • 1 Comment
    In testing out Caldera recently, the sandcat tool brings up a good point of interest in identifying where GET calls are being made. SELECT sophos_http_journal.PID, sophos_http_journal.PID, datetime(sophos_http_journal.time,'unixepoch','localtime') AS...

  • XG FW - List all tables in the data lake

    Karl_Ackerman
    • Queries
    • Under Review on
    • 1 Comment
    List the tables in the data lake from an XG Firewall. -- List ALL XG FW Tables SELECT DISTINCT log_type, log_component, COUNT(dist_key) entries FROM xgfw_data GROUP BY log_type, log_component ORDER By log_type, log_component ASC Sample results...

  • Decode encoded powershell

    Karl_Ackerman
    • Processes
    • Approved on
    • 2 Comments
    With the common use of powershell by cobalt strike and every other threat actor, I though it would be nice to have a query that detects and decodes encoded powershell commands. The first query will simply decode base 64 encoded data (As you would see...

  • Asset Discovery Query

    Paul Lawrence
    • Device
    • Approved on
    • 0 Comments
    The below query will use the arp_cache table from the devices specified, take the MAC Address information from the results and send that via CURL to an API ( https://macvendors.com/api ) to pull in vendor information for the MAC addresses as another column...

  • When was the last scan completed on the endpoint

    Karl_Ackerman
    • Events
    • Approved on
    • 0 Comments
    Simple query to read the registry for the sophos scan status. SELECT substr(data, 1,4) YEAR, CASE CAST(substr(data, 5,2) AS INT) WHEN 1 THEN 'January' WHEN 2 THEN 'February' WHEN 3 THEN 'March' WHEN 4 THEN 'April' WHEN 5 THEN 'May'...

  • Device Activity (Multiple queries in one)

    Karl_Ackerman
    • Device
    • Approved on
    • 0 Comments
    As a threat hunter it is critical to get oriented quickly. When you have a device that has suspect activity on it and the threat hunter is still exploring what is happening they want a lot of different information about the device. This information is...

  • Remote Desktop | Terminal Services - Query server for brute force logins and geolocate where those logins are coming from.

    Brian Ritchie
    • Events
    • Approved on
    • 0 Comments
    These 2 queries were developed to assist with running checks on RDP or Terminal servers run on Windows Server. They typically have port 3389 open and are vulnerable to brute force attacks. This is the most popular and easiest manner that hackers gain...

  • Gather System Information

    JeramyKopacko
    • Device
    • Approved on
    • 2 Comments
    This query can be used for general IT. Perhaps a organization is considering new software or to compare serial numbers for warranty. SELECT uuid, hardware_serial, hostname, cpu_subtype, cpu_brand, printf("%.2f", CAST(system_info.physical_memory AS...

  • Find Local Administrative Accounts

    JeramyKopacko
    • User
    • Approved on
    • 1 Comment
    It may be useful to do a search for local administrative accounts in your device fleet. You could grab timestamps of when accounts were created to gain more insight. SELECT username, groupname, type, u.UID, g.GID, Description, comment FROM users u...

  • windows_wsl_installed

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    windows_wsl_installed SCHEMA atime long Last access time ctime long Time of the change event filename string Name of the file that has changed mtime long time of the most recent registry write path string...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner