Sophos Community

Latest Live Discover and Response Queries (All)

Live Discover Query for all DNS requests in a time frame with process (ZTNA App discover)

LuCar Toni
- Uncategorized
- Approved on 4 Apr 2022
- 0 Comments
Hi Team, Here is a Live Discover Query for all DNS requests in a particular time frame from a device. You can use % for all processes or search for a particular process. -- DNS Lookups by Process -- $$Start Time$$ DATE -- $$End Time$$ DATE -- $$Process...
- 4 Apr 2022 8:54 AM
show devices where exist a file with a specific hash

Giulia Zambetti
- Files
- Complete on 18 May 2022
- 1 Comment
Hello, I would like to know if it is possible to make a query to show devices where there is a specific file in the Data Lake. Thank you
- 29 Mar 2022 12:41 PM
Query for MD5 hashes

Abdullah Lababidi
- Threat Hunting
- Under Review on 23 Mar 2022
- 3 Comments
Hello, I would like suggestions regarding how to put together a query to find MD5 hashes. There is a built-in query called Processes matching SHA-256 hashes in the last 30 days (below), but I would like to search for MD5 hashes not SHA-256, since...
- 23 Mar 2022 10:02 PM
Determine is device(s) are in EAP

SpencerBrown
- Registry
- Under Review on 11 Mar 2022
- 1 Comment
When a device is enrolled in Early Access, many of the Sophos service tags for registry keys go from RECOMMENDED to BETA. Upon reviewing the results of this query, if any devices return with "data" : "BETA" - those devices are in the early access program...
- 11 Mar 2022 8:30 PM
Sophos EDR: Query that will show me all users and groups (including domain accounts) in the local Administrators group of a PC

Matt Schmitt
- User
- Under Review on 17 Feb 2022
- 2 Comments
I want to see any users or groups that have been added to the Local Administrators group on a PC. Including domain users and groups. I've been looking at this post: https://community.sophos.com/intercept-x-endpoint/i/user/edr-query-to-find-all-local...
- 17 Feb 2022 5:10 PM
Query to collect Serial Numbers of computers

Christian Jake A Garduque
- Device
- Approved on 20 Apr 2022
- 2 Comments
Can someone help me. I need collect serial numbers of computers with sophos agent installed.
- 16 Feb 2022 12:28 AM
Querying Installed Version of Chrome?

Lisa Busby
- Files
- Complete on 18 May 2022
- 1 Comment
Hi All, Does anyone know of a way I can query to find the version of Chrome that is installed on an endpoint? Thanks.
- 15 Feb 2022 8:56 PM
Find all encoded PowerShell in the Data Lake

MichaelCurtis
- Data Lake
- Approved on 14 Jul 2022
- 0 Comments
This query will search the Data Lake for all encoded PowerShell that has been run WITH encoded_data AS ( SELECT calendar_time, name, username, meta_hostname, sophos_pid, cmdline, parent_name, parent_sophos_pid, query_name, replace(substr...
- 15 Feb 2022 4:43 PM
In live discover, how do I find a HASH list?

zewarma laisha
- Files
- Complete on 18 May 2022
- 1 Comment
hey. In my query, I am trying to find out if a HASH is located on a device (with a comma separating the values).I have a problem when consulting the hash table because it doesn't show me any value if I don't define a directory first, so I need to search...
- 10 Feb 2022 8:56 PM
Top threat indicators on Windows devices with exclusion list

AitorBF
- Threat Hunting
- Under Review on 7 Feb 2022
- 0 Comments
Hello World! I think is a great idea modify the default query "Top threat indicators on Windows devices" with a exclusion list of paths. I tried to add a pastebin link with the list of exceptions but it does not work for me. WHERE query_name...
- 7 Feb 2022 8:32 AM

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Live Discover Query for all DNS requests in a time frame with process (ZTNA App discover)

show devices where exist a file with a specific hash

Query for MD5 hashes

Determine is device(s) are in EAP

Sophos EDR: Query that will show me all users and groups (including domain accounts) in the local Administrators group of a PC

Query to collect Serial Numbers of computers

Querying Installed Version of Chrome?

Find all encoded PowerShell in the Data Lake

In live discover, how do I find a HASH list?

Top threat indicators on Windows devices with exclusion list

Submitted a Tech Support Case lately from the Support Portal?