Guest User!

You are not Sophos Staff.

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Query for Device Inventory

    Manny Singh
    • Device
    • Complete on
    • 1 Comment
    Hi Team, Would it be possible to query the below details for device : 1. DNS Name /FQDN 2. Logged in (Domain ) 3. Last logged in user 4. IP address 5. Group 6. Status 7. Operating system and version 9. Last update 10. Status 11....

  • XDR Data Lake Question

    JC2022
    • Device
    • Complete on
    • 2 Comments
    On XDR Data Lake query, can you find the public IP that the device is connected to? So far I've only seen the local IP or the IP that the device connects to. Thanks

  • Verify if an endpoint agent is on the new SDDS3 update mechanism

    Sylvain_Roy
    • Device
    • Approved on
    • 1 Comment
    This query will verify if the Sophos Endpoint Agent is on the new SDDS3 update mechanism. https://support.sophos.com/support/s/article/KB-000043550?language=en_US SDDSStatus will indicate if the endpoint is on SDDS2 or SDDS3. An SDDS3Ready status...

  • Query Local Administrators / Endpoint Query / DataLake Query

    Florian Garrecht
    • Data Lake
    • Under Review on
    • 1 Comment
    Hello Community! I'm looking for a solution to make use of the DateLake data (I'm still XDR / LiveDiscover newbie). I would like to query all local administrators of computers that do not have the default names. For this I already have a small query...

  • Sophos Central Live Discover "User account locked out" query missing timestamps

    Sophos User2229
    • User
    • Under Review on
    • 8 Comments
    "User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps? Knowing the event happened but not knowing when significantly hampers the investigation. Is...

  • Hunting query for follina 0-click RCE - not optimised for performance

    reg1nleifr
    • Data Lake
    • Approved on
    • 3 Comments
    SELECT ARRAY_JOIN(ARRAY_AGG(DISTINCT windows_processes.meta_hostname), CHR(10)) AS ep_list, COUNT(DISTINCT windows_processes.meta_hostname) AS ep_count, windows_processes.name AS process_name, windows_processes.path AS path, windows_processes...

  • Search mail flow logs for specific URL

    JeramyKopacko
    • Email
    • Approved on
    • 0 Comments
    This query will use the Sophos Central Email Maiflow connector (avail for Office 365) data to search for a specific URL in your users mail. This may be useful to see how many people saw a certain link or identify who may have interacted with it. --...

  • Scanning for activity of IPv6 and NetBIOS

    Christopher Danby
    • Network
    • Under Review on
    • 1 Comment
    Hi, I am looking for a way to have a query to detect all activity of NetBIOS and IPv6. These two ports need to be disabled on all network devices so I am looking for a query I can run on a monthly basis to confirm these ports are disabled. From...

  • Outbound SMB Traffic

    Albert Straniti
    • Network
    • Approved on
    • 1 Comment
    I am trying to determine what process is generating outbound SMB traffic on a system. I can see the traffic in the firewall logs, but when I use the query below, nothing comes up. It doesn't matter which system I check, or whether I use port 137 or 445...

  • Yara rules not returning results

    Chris Smith4
    • Threat Hunting
    • Under Review on
    • 0 Comments
    Cannot get results back from online rules (based on this https://community.sophos.com/intercept-x-endpoint/b/blog/posts/yara-scanning-rules-with-sophos-xdr ) so tried the simplest osquery I could think of: SELECT * FROM yara WHERE path = 'c:\windows...
Unfiltered HTML