Live Discover

Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

You can use Live Discover queries to search devices for signs of threats that haven’t been detected by other Sophos features. For example:

  • Unusual changes to the registry.
  • Failed authentications.
  • A process running that is very rarely run.

You can also search devices for signs of a suspected or known threat if Sophos Central has found the threat elsewhere, or if a user reports suspicious behavior on their device.

You can also check the compliance of each device. For example, you can search for out-of-date software or browsers with insecure settings.

This page tells you how to use Live Discover. You can also familiarize yourself with it by completing the Sophos XDR Training.

How queries work

We provide a range of queries for you to use to check your devices. You can use them as they are, or edit them (you'll need to be familiar with osquery or SQL). You can also create queries.

You can run queries to get information from different sources:

  • Endpoint queries get the latest information from devices that are currently connected.
  • Data Lake queries get information from a Data Lake that devices upload their data to regularly. They can also get information from other Sophos products you have set up to send data to the Data Lake, for example Sophos Cloud Optix or Sophos Email. See Data Lake queries.

To get started, check the Requirements and then follow the steps in the sections below.

Requirements for devices

If you want to use Data Lake queries, you must enable your devices to upload data to the Data Lake.

To set up your devices to upload data, do as follows.

  1. Go to Overview > Global Settings.
  2. Under Endpoint Protection (or Server Protection for servers), click Data Lake uploads.
  3. Turn on Upload to the Data Lake.

For more information, see Data Lake uploads.

Requirements for Sophos Cloud Optix

Restriction This feature might not be available to all customers yet.

If you want to use Data Lake queries on data from your cloud environments, you need a Sophos Cloud Optix Advanced license in Sophos Central, and an Intercept X license that includes Sophos XDR.

You must be a Super Admin in Sophos Cloud Optix to turn on Data Lake uploads.

To turn on Data Lake uploads, do as follows.

  1. Sign in to Sophos Cloud Optix.
  2. Go to Settings > Advanced.
  3. Turn on XDR Data Uploads.
    You can upload activity log data for specific cloud environments or all your environments.

For more information on uploading data to the Data Lake, see Data Lake uploads.

Select query

To select a pre-prepared query, do as follows:

  1. Go to Overview > Threat Analysis Center and click Live Discover.
    Screenshot of Live Discover in Central Admin menu
  2. In Live Discover, click the arrow to open the Query section (if it isn't already open).

    Designer Mode lets you edit or create queries. You don't need to turn it on if you're using our pre-prepared queries.

    Screenshot of Live Discover page
  3. By default, you see the All Queries tab. If you prefer, click the tab for the type of query you want:
    • Endpoint Queries. These get the latest data from connected endpoints.
    • Data Lake queries. These get data from a Data Lake that endpoints upload their data to regularly.

    You see the Categories that are available.

    Screenshot of query categories
  4. Click the category that you want to use. This shows you a list of the queries in that category.

    System Impact indicates the effect the query has on device performance based on recent usage.

    Screenshot of queries list
  5. Filter or search the queries if you want to shorten the list.
  6. Click the query that you want to run.
    Screenshot of a selected query

The query is shown, including the supported operating systems and performance data.

Tip For queries that let you specify a time period (for example, queries run on events journals), set a short period to avoid queries running slowly or generating too much data.

Select devices to query

If you selected an endpoint query, select the devices that you want to query.

If you selected a Data Lake query, you don’t need to select devices. All devices are always included. Skip this section.

  1. In Live Discover, click the arrow to expand Device selector.

    Available devices shows all the computers and servers that are managed by Sophos Central.

    Screenshot of device selector
  2. Under Available devices, filter the devices that are shown. For example, you might want to query devices with a particular operating system. Click Apply.

    You don't have to enter an exact match and the filters aren't case sensitive.

    Screenshot of filters
  3. Select the devices that you want to query and click Update selected devices list.

    This adds the devices to a list on the Selected devices tab, where you can manage them easily.

    Screenshot of selected devices
  4. Optional If you want to refine the list further you can filter the selected devices or deselect devices. To do this, click Selected devices, and do as follows:
    • Click Show filters. Filter the selected devices.
    • Deselect devices and click Update selected devices list.

Run query

When you've finished setting up a query, you can run it.

You can run up to four queries on devices at the same time.

Note You can change the selected devices or edit the query while it is running.

To run a query, do as follows.

  1. At the bottom of the Live Discover page, click Run Query.
    Screenshot of Run query button
  2. If you haven't run the query before, a message recommends that you run it on one device to test it. Go back to edit your selected devices or click Run Query to go ahead.
    Screenshot of untested query warning
  3. When the query stops running, you see the query results panel. This shows:
    • Items found for each device.
    • New queries or actions you can base on items in the results. Click an ellipsis icon Ellipsis icon to see the options.
    • Device telemetry (beneath the results). This is information about the query's speed and how much data it generates. See Live Discover telemetry.
    Screenshot of query results

    You’ll see a Sophos PID for processes. This is a unique process ID. We never reuse it, so queries based on it don’t get unwanted results on older processes.

You can schedule some queries to run at set times (Data Lake queries only). See Scheduled queries.

To do further analysis, you can run queries based on the results. See Use pivot queries, enrichments and actions.

Use pivot queries, enrichments, and actions

You can use your query results as a basis for additional queries that home in on potential threats.

In the results table, you’ll see an ellipsis icon next to some items. Screenshot of ellipsis icon

Click the icon to see actions that are available:

  • Queries. These "pivot queries" let you quickly run a new query based on the item selected. For an example of how to use them, see Pivot queries.
  • Enrichments. These open third-party websites like VirusTotal or IP Abuse DB to look up information about a potential threat you've found.
  • Actions. These offer further detection or remediation. For example, you can raise a threat case to get in-depth analysis of an incident, or start Live Response to access and investigate a computer.

You can customize some pivot settings. See Custom pivot options.