Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • homebrew_packages

    Karl_Ackerman
    • Queries
    • Coming Soon on
    • 0 Comments
    Homebrew is a free and open-source software package management system that simplifies the ... Binary packages called "bottles" provide pre-built formulae with default options. Homebrew does not honor the default privileges of /usr/local ... This query...

  • firefox_addons

    Karl_Ackerman
    • Queries
    • Coming Soon on
    • 0 Comments
    Firefox addons from devices with that browser If you do not have firefox on any devices like me then you will not have any data, if someone could test that would be great. Schema: creator string Addon-supported creator string description...

  • deb_packages

    Karl_Ackerman
    • Queries
    • Coming Soon on
    • 0 Comments
    A Debian " package ", or a Debian archive file, contains the executable files, libraries, and documentation associated with a particular suite of program or set of related programs. Normally, a Debian archive file has a filename that ends in . deb. ...

  • chrome_extensions INFO

    Karl_Ackerman
    • Queries
    • Complete on
    • 0 Comments
    The chrome_extensions INFO provides details on chrome extensions We extend the chrome_extensions results with the common decorations, generic and data lake information available for all scheduled queries. chrome_extensions Scheduled Query Schema ...

  • changed_files_windows_sophos Info

    Karl_Ackerman
    • Queries
    • Complete on
    • 0 Comments
    The changed_files_windows_sophos provides information on all new or updated executables from the windows devices that have information in the data lake. NOTE: global_rep and global_rep data only has information for executables with some level of suspicion...

  • browser_plugins INFO

    Karl_Ackerman
    • Queries
    • Coming Soon on
    • 0 Comments
    The browser_plugins for Microsoft EDGE information from each device. We extend the browser_plugins query results with the common decorations, generic and data lake information available for all scheduled queries. browser_plugins Scheduled Query Schema...

  • Arp Cache

    Karl_Ackerman
    • Queries
    • Complete on
    • 0 Comments
    The arp cache information from each device can be used to help discover unmanaged devices in the sub-net that may have not generated any traffic that has transited the firewall. We extend the arp_cache query results with the common decorations, generic...

  • List all endpoint tables

    Karl_Ackerman
    • Queries
    • Under Review on
    • 0 Comments
    When deployed with the Endpoint software the EDR Data lake will be filled with the results of scheduled queries that are managed by sophos. Each query results in a data set that is available in the data lake. To access the information from a specific...

  • Vulnerability Scanner in a query

    Karl_Ackerman
    • Threat Hunting
    • Approved on
    • 3 Comments
    This query will perform a very basic vulnerability scan. What is does is generate a list of all installed applications on the device and collect their publisher, name and version information. We exclude things from the list that do not have version numbers...

  • Retrieve user creation/deletion and password reset events from the sophos_windows_events table

    Marcel
    • Events
    • Approved on
    • 0 Comments
    This query retrieves account creation, deletion and password reset events under Windows. You can specify the number of days you want to go back, which is specified in the variable Days (string). SELECT datetime(swe.time,'unixepoch') Date_Time, json_extract...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner