Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Check if certificates are about to expire in the next N days

    Karl_Ackerman
    • Device
    • Approved on
    • 0 Comments
    REVIEWED by Sophos This query checks the certificates table and calculates if any certificates are going to be expiring in the next N days. If you are like me you have a story of when the business was impacted by some certificate expiring on a product...

  • Detecting a recurring beacon/call-home process

    Karl_Ackerman
    • Network
    • Approved on
    • 0 Comments
    REVIEWED by Sophos This may not work as it is trying to do a fair bit of number crunching and if the device has had a large number of network connections we will run into the watchdog process. As it stands this may take a few minutes to complete, during...

  • Another Story from the Front Line: Has CobaltStrike or PowerShellEmpire been installing services on the device

    Karl_Ackerman
    • Events
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Like the earlier post we are often helping an account after they have been breached and are needing to deploy InterceptX with EDR on devices that where breached. In these situations we can't depend on the Sophos Journals for our historic...

  • Query - Are any Sophos services not running?

    Karl_Ackerman
    • Processes
    • Approved on
    • 3 Comments
    REVIEWED by Sophos Sometimes adversaries are able to stop Sophos services, or the endpoint has had an install or update issue. As long as the live discover services are up an running you can find devices that do not have all the needed Sophos services...

  • Stories from the Front Line - Finding files modified by ransomware

    Karl_Ackerman
    • Files
    • Approved on
    • 0 Comments
    REVIEWED by Sophos The Sophos Incident Response team is often very busy, today I checked in on some of their current efforts to help accounts respond to active breaches and lent a hand with a query. An account had ransomware hit some unprotected devices...

  • MITRE ATT&CK Generic detector for some TTPS

    Karl_Ackerman
    • ATT&CK
    • Approved on
    • 0 Comments
    REVIEWED by Sophos I have been experimenting with queries that identify activity that maps to the ATT&CK framework from MITRE. We have published some queries that already do some of that work. (Search for the Caldera query in the console). Below is...

  • Live Response: Temperature of a machine

    j0hnV
    • Live Response
    • Under Review on
    • 2 Comments
    REVIEWED by Sophos In Celsius -------------------------------------- function Get-Temperature { $t = Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi" $returntemp = @() foreach ($temp in $t.CurrentTemperature) { $currentTempKelvin...

  • What if I installed after the breach happened? Hunting through windows event logs

    Karl_Ackerman
    • Events
    • Approved on
    • 0 Comments
    REVIEWED by Sophos If you are in a situation where you installed the CIXA-EDR product after a breach has already happened or is underway you will not have any of the sophos journals to hunt through for how the breach happened. Without the recorded history...

  • List of RDP Sessions in last N Days

    Karl_Ackerman
    • Events
    • Approved on
    • 0 Comments
    REVIEWED by Sophos This query takes a variable called 'Days to look back from now' and searches the windows event logs for evenit ID 1149 then uses JSON extract to get the username and remote IP address info for the remote terminal sessions. SELECT...

  • Check version of Notepad++ installed vs latest available

    AndrewMundell
    • Device
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Followup to the Firefox query, repeating the process for Notepad++. SQL published at https://gist.github.com/andrewmundellsophos/17ea7cd7614fc61c3046e64586c4186b and pasted below: --Tested and working as of 2020-07...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner