Sophos Community

Latest Live Discover and Response Queries (All)

Find Domain Controllers

j0hnV
- Device
- Approved on 7 Feb 2022
- 0 Comments
REVIEWED by Sophos SELECT os_version.name os_name, services.name, services.display_name, services.start_type, services.path, services.status, services.user_account FROM services JOIN os_version WHERE services.name = 'NTDS' To only find machines...
- 24 Jul 2020 11:17 AM
Live Discover Query - That nasty Microsoft DNS bug - SigRED a.k.a CVE-2020-1350

AzRoN
- Threat Hunting
- Approved on 12 Jul 2022
- 1 Comment
REVIEWED by Sophos As the title says, Microsoft recently advised a of a nasty bug within MS DNS servers. NakedSecurity has a great write up with suggested actions, PATCH NOW. Or implement a work around. https://nakedsecurity.sophos.com/2020/07/15...
- 22 Jul 2020 6:31 AM
Live Response read text files; change configuration files etc.

Giu
- Live Response
- Under Review on 19 Jul 2020
- 2 Comments
Hello 99% of my time I use the GUI; so when it comes to use the CMD prompt I feel a little uncomfortable I am trying to use live response; in the kb and other documentation it is stated that with Live Response on windows you can: Reboot a device that...
- 19 Jul 2020 2:26 PM
List software installed between two dates

MichaelCurtis
- Device
- Approved on 7 Feb 2022
- 1 Comment
REVIEWED by Sophos This query will list all the software installed between two dates, taking Sophos out of the list. The variable screen is below. It also shows the format. Some software has no date so that is returned just in case it helps SELECT...
- 16 Jul 2020 2:20 PM
Check for conflicting windows security software

j0hnV
- Device
- Approved on 7 Feb 2022
- 1 Comment
REVIEWED by Sophos Customers confronted with unexplainable red statusses and installation/update issues were helped by this: ------- select * FROM windows_security_products WHERE name is not 'Windows Firewall' and name is not 'Microsoft Defender...
- 16 Jul 2020 10:43 AM
Check version of Firefox installed vs latest available

AndrewMundell
- Device
- Approved on 5 Apr 2022
- 0 Comments
REVIEWED by Sophos A quick and dirty query leveraging curl to get the latest version of Firefox from Mozilla.org and compare to the installed version. Uses curl a bit too much, but I'm having trouble using "with" clauses and parsing that result, hopefully...
- 15 Jul 2020 11:47 AM
BitLocker Status

MichaelCurtis
- Device
- Approved on 6 Feb 2022
- 0 Comments
REVIEWED by Sophos A query that will return the BitLocker status of an Endpoint SELECT device_id,drive_letter,percentage_encrypted, encryption_method, version, persistent_volume_id, CASE conversion_status WHEN 1 THEN 'Fully Encrypted' WHEN 2 THEN...
- 14 Jul 2020 9:55 AM
Identify all portable executables deployed or modified by a process name over time

Karl_Ackerman
- Anomalies
- Approved on 18 May 2022
- 0 Comments
REVIEWED by Sophos For this query we want to identify all portable executables that have been written to the device. We have some variables so if you want to can look for the Portable Executables created by a specific process %powershell% or all processes...
- 7 Jul 2020 6:08 PM
10 queries for exploring windows events and security groups

Karl_Ackerman
- User
- Approved on 29 Nov 2021
- 0 Comments
REVIEWED by Sophos The Sophos UK Sales engineering team has been getting familiar with live discover. In the work they explored group policy and provided the following queries: Deleted security groups - Variable to specify the number of days to...
- 6 Jul 2020 7:25 PM
Simple query to audit Microsoft RDP enablement status (from registry)

AndrewMundell
- Device
- Approved on 15 Jan 2022
- 0 Comments
REVIEWED by Sophos Just a quick query to audit the state of MS RDP via the registry, uncomment (remove the 2 leading '--' from the last line) to return only machines where RDP is enabled. SELECT CASE WHEN data = 0 then 'RDP Enabled' WHEN data...
- 2 Jul 2020 11:50 AM

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Find Domain Controllers

Live Discover Query - That nasty Microsoft DNS bug - SigRED a.k.a CVE-2020-1350

Live Response read text files; change configuration files etc.

List software installed between two dates

Check for conflicting windows security software

Check version of Firefox installed vs latest available

BitLocker Status

Identify all portable executables deployed or modified by a process name over time

10 queries for exploring windows events and security groups

Simple query to audit Microsoft RDP enablement status (from registry)

Submitted a Tech Support Case lately from the Support Portal?