Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • threat_stickykeys_registry_backdoor

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    Windows sticky keys have been changed SCHEMA data string Data content of registry value key string Name of the key mtime long time of the most recent registry write name string Name of the registry value entry...

  • threat_promisc_interfaces_linux

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    Detect promiscuous interfaces on LInux https://en.wikipedia.org/wiki/Promiscuous_mode SCHEMA flags int Flags (netdevice) for the device interface string Interface name loopback long Loopback interface mac string...

  • threat_pass_the_hash

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    Detects potential pass the hash threats SCHEMA eventid int The Windows event ID key_length int The length of NTLM Session Security key logon_process string The name of the trusted logon process that was used for the logon...

  • threat_osx_hidden_users

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    Scheduled queries with the Threat prefix are identification of potential threats that may warrant investigation. This identifies hidden users on OSX SCHEMA shell string User's configured default shell uid long The local user...

  • sophos_ips_windows

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    Sophos record of IPS activity on Windows SCHEMA destination_ip string The destination ip address of the ip event destination_port int The destination port of the ip event pids string List of PIDs protocol int...

  • running_processes_windows_sophos

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    Windows process history SCHEMA cmdline string Process command line file_size long File size now gid long Group ID (unsigned) of the user running the process global_rep int The machine learning global reputation...

  • running_processes_osx_events

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    Mac os running process info SCHEMA cmdline string Process command line egid long Effective group ID at process start euid long Effective user ID at process start gid long Group ID (unsigned) of the user running...

  • running_processes_linux_events

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    Linux running processes SCHEMA cmdline string Process command line egid long Effective group ID at process start euid long Effective user ID at process start gid long Group ID (unsigned) of the user running...

  • rpm_packages

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    RPM package info SCHEMA arch string Architecture(s) supported name string Name of the registry value entry release string Package release source string ` version string Plugin short version ...

  • pending_windows_updates_patch

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    Pending windows updates/patches SCHEMA hotfix_id string The kb article ID for the update installed string Is the update installed mandatory string Is the update mandatory msrc_severity string Severity of the...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner