Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Live Discover Query: ALL system activity for N seconds from a date/time

    Karl_Ackerman
    • Processes
    • Approved on
    • 2 Comments
    REVIEWED by Sophos This query will show ALL system activity that was recorded from a time period. Given the volume of data that can be returned we recommend only pulling a few seconds of information at a time and then using that to narrow down on...

  • Live Discovery Query - SophosPID process activity digest

    Karl_Ackerman
    • Processes
    • Approved on
    • 0 Comments
    REVIEWED by Sophos We have added a new table to the sophos forensics journals. The sophos_process_activity table. Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick lookup...

  • Live Discover Query - Abusing netsh

    jak
    • ATT&CK
    • Approved on
    • 1 Comment
    REVIEWED by Sophos It's probably worth a couple of minutes to mention this item: https://attack.mitre.org/techniques/T1128/ Essentially good ol' netsh can be used to load a malicious module and that it offers persistence. The tool does document this...

  • Live Discovery Query - Netsh - is something or someone allowing access?

    jak
    • Processes
    • Approved on
    • 1 Comment
    REVIEWED by Sophos I can imagine the scenario where malware has executed and maybe looks to set up a communication channel. In order to allow itself through the Windows firewall, it may well add an incoming rule using the command line tool netsh. It...

  • Live Discover Query - General IT queries

    bazcurtis
    • Device
    • Approved on
    • 3 Comments
    Hi, I have been looking at Live Discover and like the look of it. I am not an expert in Threat Hunting, but I was hoping I could use Live Discover to help me with my day to day IT tasks. I was thinking along the lines of the following. Machine is...

  • LIve Discovery Query: Process tree for a SophosPID

    Karl_Ackerman
    • Processes
    • Approved on
    • 2 Comments
    REVIEWED by Sophos One of the first things I like to understand when looking at a suspect process is how did it get started and what children processes if any did it create. To do that we need to build a process tree from the sophos process journal...

  • Live Response - Capturing network traffic

    jak
    • Live Response
    • Under Review on
    • 1 Comment
    REVIEWED by Sophos Given the ability to utilize Live Query, specifically the tables 'sophos_http_journal', 'sophos_ip_journal', 'sophos_url_journal', etc. I can see how it might be interesting to conduct a packet trace via Live Response. When people...

  • Live Discover Query + Response in combination for file source investigation

    jak
    • Query Tips
    • Approved on
    • 1 Comment
    REVIEWED by Sophos I'm not aware that the current version of Live Query at least on Windows can obtain the equivalent of extended attributes of a file. That said, if you see a file you would like some more information on, i.e. the download source of...

  • Live Response - Investigating other devices

    jak
    • Live Response
    • Under Review on
    • 0 Comments
    Given the scenario where you have a number of computers at a site and in the same subnet, it may be possible to perform some remote diagnostics. Some example PowerShell commands are included below that could be used as-is or modified as needed. Finding...

  • Live Discover Query: Common productivity files (documents/pictures) that were deleted or modified in the last 24 hours

    Karl_Ackerman
    • Files
    • Approved on
    • 1 Comment
    REVIEWED by Sophos This query generates a list of the file delete and modifiications by process and user for the last 24 hours. It can take some time to run but does what it says. /*************************************************** divided 24 hours...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner