Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • Live Discover Query - Ransom note discovery?

    jak
    • Files
    • Approved on
    • 6 Comments
    REVIEWED by Sophos I'm not sure if this would work, or even how much merit there is in trying but here goes anyway. Ransomware, to the best of my limited knowledge, tends to add some sort of instruction file to an obvious location such as the user...

  • Live Discover Query - BitLocker

    Marcel
    • Device
    • Approved on
    • 1 Comment
    REVIEWED by Sophos The first query will show for Windows devices if any drive has been encrypted using BitLocker: select drive_letter as "Drive Letter", case protection_status when "1" then "ENABLED" else "DISABLED" end "Protection Status", encryption_method...

  • Live Discover Query - Vulnerability check for ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

    Karl_Ackerman
    • Threat Hunting
    • Approved on
    • 2 Comments
    REVIEWED by Sophos Windows has a zero-day that won’t be patched for weeks Well another day another zero day vulnerability. Today I am looking at how to best create a vulnerability check given information in a CVE and a Microsoft Notification. In this...

  • Live Discover Query - Do all my services have quoted paths where needed?

    jak
    • Anomalies
    • Approved on
    • 1 Comment
    REVIEWED by Sophos To search for services on your computers which expose the computer to the classic Unquoted Service Path vulnerability, the following basic command could be run: SELECT name, path FROM services WHERE path LIKE "% %" AND path LIKE...

  • Live Discover Query - Sysinternals

    jak
    • Processes
    • Approved on
    • 1 Comment
    REVIEWED by Sophos We all know how useful the tools from Sysinternals are. Thanks Mark! Clearly they are so useful that the crooks use them too, in particular, PsExex is a favorite. When these tools are run you have to accept a Eula, this state is...

  • Live Discover Query - RDP history

    jak
    • Events
    • Approved on
    • 5 Comments
    REVIEWED by Sophos As RDP is always a hot topic in the world of security, it might be helpful to gain a report of perhaps who is connecting to where. The default RDP client, mstsc.exe maintains a history of the computers connected to under the following...

  • Live Discover Query - Minimum hardware check

    jak
    • Device
    • Approved on
    • 1 Comment
    REVIEWED by Sophos Given the advice in article 121027 regarding recommended hardware specifications. For example, Intercept X Advanced with EDR and MTR is: Disk space: 8 GB free RAM: 4 GB Cores: 2 The following query could be used to identify...

  • Live Discover Query - Software version check

    jak
    • Device
    • Under Review on
    • 2 Comments
    REVIEWED by Sophos One thing I have found helpful with osquery is the flexibility it provides for what sometimes seems an obvious task such as the version of a piece of software. Take for example the client software of Zoom given it's pretty popular...

  • Live Discover Query - UAC check and no need to re-invent the wheel

    jak
    • Device
    • Approved on
    • 1 Comment
    REVIEWED by Sophos While thinking about other useful queries, for example checking where UAC is disabled on Windows computers: select data 'EnableLUA' from registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System...

  • Live Discover Query - identify devices where services could be an issue

    jak
    • Processes
    • Under Review on
    • 1 Comment
    REVIEWED by Sophos One possibility is to simply query the "services" table for service status, for example: select s.display_name, s.status from services as s where (s.display_name like 'Sophos%' or s.display_name like 'HitmanPro%') and s.status ...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner