Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Detecting IOCs from ACSC 2020-008 The Copy-Paste Compromise Notification

    AzRoN
    • Threat Hunting
    • Under Review on
    • 1 Comment
    REVIEWED by Sophos Hello all The Australian Federal Government recently issued a warning to all Australian's that we're under an increasing number of cyber attacks. Although this served as a general wanring to everyone, the Australia Cyber Security...

  • Live Discover - PowerShell command audit

    jak
    • Processes
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Hello Threat Hunters! I mentioned in this post: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/120201/live-response---command-audit/ how you could audit the history of PowerShell...

  • Live Discover Query - MAC address list

    AndyM
    • Network
    • Approved on
    • 2 Comments
    REVIEWED by Sophos A simple one for listing the interfaces of devices and their MAC addresses. Potentially handy if you need to check DHCP logs, firewall logs, or update your WIFI MAC filtering list. SELECT description "Desc", mac "MAC" FROM interface_details...

  • Live Discover Query - Authentication History for a User

    AndyM
    • User
    • Approved on
    • 1 Comment
    REVIEWED by Sophos This is a Windows-only query that looks at the system events logs to see logon history for users. This will show how a user is authenticated on Windows endpoints and servers. You can expect to see locally connected users (Interactive...

  • Live Discover Query - CPU Usage (Weighted)

    AndyM
    • Device
    • Approved on
    • 0 Comments
    REVIEWED by Sophos Hi guys, Been playing with live discover, which seems to be all I'm doing at the moment, it's a little addictive! Anyway wrote a simple query to collect the most active processes on devices. Unlike the cpu_time table, this query...

  • Detecting Kingminer IOCs

    Karl_Ackerman
    • Threat Hunting
    • Approved on
    • 2 Comments
    REVIEWED by Sophos See the story from Sophos Labs Uncut on KingMiner: https://news.sophos.com/en-us/2020/06/09/kingminer-report/ The article is both educational and enlightening. One of the aspects of KingMiner that is common with other attacks is...

  • Live Discovery Query: Identify new admin accounts

    Karl Ackerman
    • User
    • Approved on
    • 1 Comment
    REVIEWED by Sophos This query will identify new admin accounts created in the last N Days. SELECT u.username, (SELECT datetime FROM sophos_windows_events WHERE eventid = '4720' AND json_extract(json_extract(data, '$.EventData'),'$.TargetSid') = u...

  • Live Discover - Lateral movement detection

    Karl_Ackerman
    • Processes
    • Approved on
    • 2 Comments
    REVIEWED by Sophos With Live discover I wanted to explore if I can write a query to detect lateral movement between devices that are under management. Because Live Discover queries are run on individual devices we can not easily build a query that directly...

  • Live Discover Query - Living off the land BITS

    jak
    • Processes
    • Approved on
    • 1 Comment
    REVIEWED by Sophos There are many libraries one can use for making web calls, be it PowerShell, WinHTTP, XML but one of the more stealthy technologies is Background Intelligent Transfer Service (BITS). Information is available here as a starting point...

  • Live Discovery Query: How to bulk process a CSV List of SHA256 data

    Karl_Ackerman
    • Query Tips
    • Under Review on
    • 4 Comments
    REVIEWED by Sophos When hunting for indicators of compromise it is not uncommon to find a list of things you should be checking. In the example below I will show how to use variables to select some csv data that is under 5KB in size and then convert...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner