Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • querie with file movements, on computers, to external storage

    Victor Domingo
    • Queries
    • Under Review on
    • 0 Comments
    It's possible ? be able to see the movements of all files on all computers to external storage.

  • Live Response: Controlling Windows Firewall Using Netsh

    JeramyKopacko
    • Live Response
    • Under Review on
    • 0 Comments
    Imagine a scenario where you discover vulnerable ports or need to temporarily block an application, port, or other. Many environments will leverage GPOs to set their profiles and exceptions. On the fly, we can make changes in real-time to protect the...

  • Geolocate Device

    Paul Lawrence
    • Device
    • Approved on
    • 0 Comments
    This simple query leverages Live Discover using cURL to geolocate devices. Here's how it works: cURLs out to ifconfig.me/ip to grab the devices' WAN IPs using the response of step one as input, cURLS out to ipapi.co to find location information...

  • Query - IOC´s From GitHub list

    Rafael Moura
    • Threat Hunting
    • Under Review on
    • 2 Comments
    /* Desc: Number of Hours of activity to search / TYPE: String / SQLVAR: $$Number of Hours of activity to search$$ Desc: RAW IOC List location from a URL / TYPE: String / SQLVAR: $$RAW IOC List location from a URL$$ / Value: ... Desc: Start Search From...

  • Decoding message_attachments from the xdr_xge_att_data table

    Sevensix
    • Data Lake
    • Under Review on
    • 0 Comments
    Hello Forum, I'm trying to decode the message_attachments from the xdr_xge_att_data table. If you query, you get a result which looks like JSON but it seems is not. I tried with JSON queries like this: CAST (" message_attachments " as JSON), json_extract...

  • Compare Specific Program Version

    JeramyKopacko
    • Device
    • Approved on
    • 0 Comments
    This query is leveraged in our recommended read to assist in auditing unsupported software. Credit to Jainidhya for assembling this little beauty. Set variable as $$Version$$ with type 'string' and another variable as $$Name$$ with type 'string' Once...

  • T1078 - CVE-2020-1472 - Netlogon

    JeramyKopacko
    • Threat Hunting
    • Under Review on
    • 0 Comments
    This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs. This query will search and detect Windows vulnerability affecting the Netlogon feature. Sophos Security Bulletin: https://community.sophos.com...

  • LINUX Process Tree for Data Lake (SHORT)

    Karl_Ackerman
    • Anomalies
    • Approved on
    • 0 Comments
    -- FIXED PID RECYCLE PROBLEM With the Data lake and LINUX we have some challenges creating a Sophos PID. The issue is around time from the Linux Process Events Journal in OSQuery. It does not have accurate enough process start time information so we...

  • LINUX MITRE ATT&CK TTP Detector (DATA LAKE)

    Karl_Ackerman
    • Anomalies
    • Approved on
    • 0 Comments
    Below is a DATA LAKE QUERY for a basic LINUX and MAC OS TTP Detection query. It has multiple variables VARIABLES Number of hours to search STRING Verbosity 0-9 (use 10 for ALL) STRING device_name STRING mitre_id STRING tactic name STRING...

  • T1070.001 - Indicator Removal on Host: Clear Windows Event Logs - Removal of .evtx files

    EMK
    • ATT&CK
    • Complete on
    • 0 Comments
    MITRE Technique T1070.001 - "Indicator Removal on Host: Clear Windows Event Logs" - details adversaries may clear the Windows Event Logs, typically Security, to hide the activity of an intrusion. One should therefore be mindful of tools such as wevtutil...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner