Overview
Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

New to Live Discover & Response queries?

See Getting Started In Live Discover - From Beginner to Advanced Query Creation

Make sure to also check out
Best Practices On Using Live Discover & Response Query Forum and Sophos EDR Threat Hunting Framework.
Query Corner Announcement and Master Index.

Notes:
For more information on Live Discover, please check out our Product Documentation
For query assistance, please see Getting LD&R Community Support.

Sophos Community XDR Queries on GitHub

Navigate to a category below to browse and submit a query

Browse Live Response and Discover Queries by Category
Latest Live Discover and Response Queries (All)

  • SeriousSam/HiveNightmare Hunting Query (Live Endpoint)

    reg1nleifr
    • Threat Hunting
    • Approved on
    • 2 Comments
    Hunting Query we've used for detecting suspicious processes exploiting the SeriousSAM Vulnerability. Depending on your environment you might see plenty false positives. A good idea might be to add valid processes to the query based on the sha256 value...

  • Ability to view URL's (warn, block) using EDR

    RaviSoni
    • Compliance
    • Approved on
    • 0 Comments
    This query will parse the Web Intelligence log files and display the URL's that users have visited or have attempted to visit, Category of the URL, Action was taken etc. This gives a rough idea of what users have visited on a specific date. Declare...

  • Add context to the Sophos Endpoint Health Status report with XDR

    AndrewMundell
    • Compliance
    • Approved on
    • 1 Comment
    BIG thanks to RaviSoni for all the hard work on the detail in this query. You can use the query below to get more context on the health status of Windows machines via Endpoint Live Discover. e.g. which area is causing a bad health (Service or Threat...

  • Check IP Journal against File Properties & Processes

    JeramyKopacko
    • Threat Hunting
    • Approved on
    • 0 Comments
    It may be useful to see what specific PID, program, syntax, etc and its threat scoring that has interacted with a specific IP. This is the final query from the Getting Started Recommended Read shared recently. ## DEFINE $$IPaddress$$ as IPaddress ...

  • EDR Query to list deleted files in a directory

    RogerNeal
    • Files
    • Approved on
    • 0 Comments
    Description We've been asked a few times if its possible to write a quick query to list files deleted in a particular directory. This query below is a modification of the existing File Access History Query to just show deleted files for a specified...

  • Printnightmare Hunting Query (Live Discovery/Windows)

    reg1nleifr
    • Threat Hunting
    • Under Review on
    • 0 Comments
    Similar to the Data Lake Query (which seems to be having issues since it's not detecting all dll files in all folders) we've also created a Live-Discovery Query for Windows Systems on the Printnightmare Vulnerability. The Query could be scheduled via...

  • Complete, no data sent

    Billiam N
    • Files
    • Complete on
    • 0 Comments
    Good Morning Sophos Fam, I'm just beginning to leverage SQL queries in the life of a Security Admin, and my question is when you receive a "Complete, no data sent" is it due to - The device doesn't match the query parameters? - Communication...

  • PrintNightMare Spooler Service Check

    Jainidhya
    • Threat Hunting
    • Approved on
    • 0 Comments
    -- FIND SYSTEMS WITH PRINT SPOOLER RUNNING SELECT name, status, start_type, user_account, CASE WHEN status = 'RUNNING' THEN ' Exposed to unpatched vulnerabilities inc. PrintNightmare ' WHEN status = 'STOPPED' THEN ' NOT exposed to unpatched...

  • PrintNightMare Registry Fix Check

    Jainidh Rajpal
    • Threat Hunting
    • Approved on
    • 0 Comments
    -- Check Print Server Registry Fix SELECT DISTINCT 'Check Registry Fix' Test, CAST(GROUP_CONCAT(name, ' '||CHAR(10)) AS TEXT) Result, CASE ​ WHEN name = 'RestrictDriverInstallationToAdministrators' THEN 'Fix Applied...

  • PrintNightMare Hotfix Check

    Jainidh Rajpal
    • Threat Hunting
    • Approved on
    • 0 Comments
    -- PrintNightMare Hotfix/Patch Check SELECT DISTINCT services.display_name AS Service, services.status, 'List PrintNightMare Hotfix' TEST, CAST(GROUP_CONCAT(hotfix_id, ' '||CHAR(10)) AS TEXT) Result, CASE WHEN hotfix_id = 'KB5004953' THEN 'Windows...
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Cookie Information Banner