Guest User!

You are not Sophos Staff.

Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • pending_osx_updates_patch

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    List pending updates/patch for MAC os x SCHEMA package_id string Label packageIdentifiers recommended string recommended restart string restart size long Size of the update title string Title of the...

  • osx_updates_patch

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    osx updates and patches. MAC OS. Not in the EAP but coming soon SCHEMA content_type string Package content_type (optional) name string Name of the registry value entry package_id string Label packageIdentifiers ...

  • opera_extensions

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    List opera extension info SCHEMA author string Optional extension author description string Plugin description text identifier string Plugin identifier name string Name of the registry value entry path...

  • open_sockets

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    List open socket info SCHEMA cmdline string Process command line local_address string Socket local address name string Name of the registry value entry parent long Process parent's PID path string ...

  • network_interfaces

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    list the devices network interfaces SCHEMA address string IPv4 address target broadcast string Broadcast address for the interface ibytes long Input bytes interface string Interface name mac string ...

  • listening_ports

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    listening_ports lists processes with listening ports SCHEMA address string IPv4 address target name string Name of the process path string Full path to the process pid long Process (or thread) ID port...

  • launchd_md5

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    This collects the SHA256 and SHA1 has of launchd processes on LINUX and no I do not know why the scheduled query has an MD5 in the name seeing as we do not get the MD5 value. launchd launchd has two main tasks. The first is to boot the system, and...

  • ioc_windows_registry_malware_sdbot

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    ioc_windows_registry_malware_sdbot this is a scheduled query to detect sdbot malware. https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Sdbot-MA/detailed-analysis.aspx Sophos protection capabilities should be protecting...

  • installed_applications

    Karl_Ackerman
    • Queries
    • Coming Soon on
    • 0 Comments
    List installed applications Windows. This will show applications added to the windows system during the data lake period (Default is 7 days) It needs to be tested SCHEMA bundle_executable string Info properties CFBundleExecutable label...

  • ie_extensions

    Karl_Ackerman
    • Queries
    • Complete on
    • 0 Comments
    Internet Explorer Extensions Schema name string Name of the registry value entry path string Full path to the value version string Plugin short version -- ie_extensions INFO SELECT -- Device ID DETAILS meta_hostname...
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?