Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Live Response - Suspicious Process - Create a dump for offline analysis

    jak
    • Live Response
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Imagine the scenario - you see what looks to be a suspicious process on an endpoint, maybe you've used Live Query to list modules but you need to dig a little deeper. Well, how about the following workflow: Initiate a Live Response...

  • Live Discover Query - Checking for redirected web traffic to unknown processes

    jak
    • Processes
    • Approved on
    • 1 Comment
    REVIEWED by Sophos While looking at the "sophos_ip_journal table", I noticed the interesting field "redirectionState" which could be useful to find traffic that is being covertly redirected to a local proxy before being sent on its way unbeknown to...

  • Live Discover Query - Show the % free disk space

    Karl Ackerman
    • Device
    • Approved on
    • 3 Comments
    REVIEWED by Sophos Often when a user complains about a device being slow or having problems the first thing to check is how much free disk space does the device have. You can use this to monitor the devices under management to determine if you should...

  • Help on creating event log query

    GiovanniGiovannelli
    • Events
    • Complete on
    • 2 Comments
    Hi, please can you help me in creating a query for extracting the last # events of Windows Application event log? Thanks Giovanni

  • Live Response - Using command line tools to check files

    jak
    • Live Response
    • Under Review on
    • 0 Comments
    There are a number of tools installed on the endpoint for evaluating files. For example: SAV32CLI.exe Sav32cli which is part of the Sophos Anti-Virus component. If you wished to scan a folder or file, from the command line you could run: sav32cli...

  • Live Response - Viewing the raw JSON Sophos Health trail files

    jak
    • Live Response
    • Under Review on
    • 0 Comments
    I can imagine a case where it might be helpful to process the raw trail files of Sophos Health found under: %ProgramData%\Sophos\Health\Event Store\Trail\ Note : It is possible to also get this information from Live Discover using the "sophos_events_summary...

  • Live Response - Don't forget Tamper Protection

    jak
    • Live Response
    • Under Review on
    • 1 Comment
    When performing a Live Response session, with a view to troubleshoot Sophos components, it may be worthwhile confirming if Tamper Protection (Endpoint Defense) is disabled. To do so you can run: "C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe"...

  • Live Response - Force an update from the command line and checking status

    jak
    • Live Response
    • Under Review on
    • 0 Comments
    Given that Live Response is now live! This might be a useful command to initiate an "update now" from the command line: powershell -command $(New-Object -comObject "ActiveLinkClient.ClientUpdate.1").UpdateNow(1,1) You can monitor the progress by watching...

  • Live Discover Query - Artifacts of infection - Registry and other strings

    jak
    • Registry
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Given that malicious software is designed to evade detection and thwart the ability to remediate; there are plenty of registry keys that could provide some insight into prior infections or ongoing ones. I mention prior infections...

  • Live Discover Query - Virtual Devices

    jak
    • Device
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Depending on the role of the user or device it might be worth exploring those computers that are running a virtual machine. This could be a computer on the network you don't have any visibility or control over that is being used by...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner