Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • RDP Audit

    MichaelCurtis
    • Data Lake
    • Under Review on
    • 0 Comments
    SELECT meta_hostname AS "RDP Destination", calendar_time, cmdline, remote_address AS "Connected From", local_address AS "Connected To" FROM xdr_data WHERE query_name = 'open_sockets' AND cmdline LIKE '%TermService%' ORDER BY calendar_time...

  • Search for Windows systems missing a specific patch

    tomfarrell
    • Data Lake
    • Approved on
    • 0 Comments
    /* Requires variable type string: kbnum */ /* using trino function to_unixtime() searching systems with ingestion timestamp within 30 days, 30 is hard coded into time filter */ select DISTINCT meta_hostname from xdr_data where meta_os_platform = ...

  • Query for a user's web history

    AitorBF
    • User
    • Under Review on
    • 0 Comments
    I think a query of a user's web history would be helpful. I see it useful for when there has been a download, for example of a PUA, to be able to know which user and from which url has downloaded it. Do you think this is possible? Thank you so much...

  • Hostnames with user "Administrator" saved in Windows Credential Manager

    ljohnson
    • Queries
    • Under Review on
    • 1 Comment
    We are trying to build a query to get a list of host names that have a user named Administrator in their Windows Credential Manager. We found something close that looks like it is going through the event logs looking for any time something was read from...

  • Query for missing default shares

    JeramyKopacko
    • Threat Hunting
    • Approved on
    • 0 Comments
    This query for create a virtual table from a URL file with defined CSVs. For this, we're going to look for missing default shares in Windows. As Microsoft indicates here, it can lead to various problems in the environment and in recent reports, it is...

  • Discover Google Chrome Browsers with Latest Zero Day

    JeramyKopacko
    • Data Lake
    • Approved on
    • 0 Comments
    SELECT meta_hostname AS Endpoint, MAX(CASE WHEN name = 'Google Chrome' THEN version END) AS Chrome FROM xdr_data WHERE query_name = 'windows_programs' and version != '96.0.4664.110' GROUP BY meta_hostname Google's full release of the CVE...

  • How to use ""File attributes and metadata" to find a file anywhere on a computer?

    Hyujfnr16
    • Files
    • Complete on
    • 1 Comment
    Hello! How can I use the Live Discover query called "File attributes and metadata" to locate a file that might be stored at any place on a computer, or at different places on different computers? This article on Sophos.com got me to thinking. They suggest...

  • Basic search to find Log4J running on hosts from the DataLake

    CraigJones
    • Compliance
    • Approved on
    • 30 Comments
    Basic search which lists processes that include log4j in the cmdline> on Windows, Mac and Linux. The query returns a lot of results but works for an insight into what's running on the estate. SELECT meta_hostname AS ep_name, name, cmdline, path...

  • Identify vulnerable Log4j Apache components

    Qoosh
    • Compliance
    • Approved on
    • 28 Comments
    Note: This query is designed for Linux only. For a basic search which lists processes called Log4J on Windows, Mac and Linux, please view this query. This query helps customers identify vulnerable Log4J components in their environment. It shows Log4J...

  • List Office Macro documents touched on a client computer (from Data Lake)

    LHerzog
    • Files
    • Under Review on
    • 4 Comments
    Hi, this Data Lake query finds all Office Documents by file name in a given time frame and on specific host or all hosts (wildcard) and only those, that have not been touched by a specific process (e.g. dropbox.exe) Unfortunately it does not find...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?