Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Live Discover Query - Location

    jak
    • Device
    • Approved on
    • 2 Comments
    REVIEWED by Sophos This might be a little out there but you could look to locate all devices in the same physical location or had been in the same physical location or gather some data to locate a device should it be stolen. Windows maintains a list...

  • Live Discover Query - History of Safe Mode system startup

    Karl_Ackerman
    • Events
    • Approved on
    • 1 Comment
    REVIEWED by Sophos We want a query to list the boot history of the device and if the boot was into safemode or not. SELECT CAST(datetime(time, 'unixepoch') AS TEXT) AS 'System Startup Date-Time', CASE JSON_EXTRACT(data, '$.EventData.BootMode') WHEN...

  • Live Discover Query - Windows Management Instrumentation Event Subscription

    Dakota Mercer-Szady
    • ATT&CK
    • Approved on
    • 1 Comment
    REVIEWED by Sophos "Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs" ( T1084 ). The Sophos MTR Operations team has investigated and responded...

  • Live Discover Query - SDBot Malware - RAT

    Jordon Carpenter
    • Threat Hunting
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Here is a specific query identifying SDBot Malware used by the TA505 hacking group: SELECT DISTINCT srj.time AS event_timestamp, srj.keyName, srj.value, srj.eventType, srj.sophosPID, srj.valueName, 'REG_BINARY' AS valueType, 'SDBbot...

  • Live Discover Query - Brute Force Activity

    Jordon Carpenter
    • Events
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Here is a query to identify activity that resembles brute force activity: SELECT eventid, JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS subject_username, JSON_EXTRACT(data, '$.EventData.SubjectDomainName') AS subject_domain...

  • Live Discover Query - Malware persistence

    Guido Denzler
    • Threat Hunting
    • Approved on
    • 2 Comments
    REVIEWED by Sophos Below are a few basic queries for pulling back data from places that malware likes to use for persistence. First up Registry Run keys: SELECT r . path , r . name , r . data , REPLACE ( REPLACE ( REPLACE ( REGEX_SPLIT ( r . data...

  • Live Response - Making use of Sysinternals tools

    jak
    • Live Response
    • Under Review on
    • 0 Comments
    Given how useful the Sysinternals suite of tools is, it's probably worth a quick post to show how these can be obtained and used via Live Response to save disrupting an end user. Thankfully Sysinternals exposes the tools at the following location: ...

  • Live Discover Query - IFEO (someone had to mention it)

    jak
    • Registry
    • Approved on
    • 1 Comment
    REVIEWED by Sophos No list of queries would be complete without at least one which focused on the "Image File Execution Options" or IFEO keys. In short, the IEFO key can be used to alter the behaviour of a given process at start-up. It is primarily...

  • Live Response - Command audit

    jak
    • Live Response
    • Under Review on
    • 0 Comments
    At the current time you can specify a reason for the connection but once connected it maybe helpful to document a list of commands run. From the default command prompt to print a list of previous commands for the session you can run: doskey /history...

  • Live Response - Performance Check

    jak
    • Live Response
    • Under Review on
    • 1 Comment
    One of the most common problems users report is performance. These might be, the vague: "It just seems generally slow", or "when I do X it takes forever". Well from the command line and through the magic that is Live Response, you can now answer these...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner