Live Discover

Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

Introduction

Restriction You need to join the early access program to use this feature.

You can search devices for signs of threats that haven’t been detected by other Sophos features. Such signs may be unusual changes to the registry, failed authentications, or a process running that is very rarely run. You can also check the compliance of each device. For example, you can check for out-of-date software or whether browsers are using secure settings.

You can also search devices for signs of a suspected or known threat. For example, Sophos Central has alerted you or a user has reported suspicious behavior on their device.

We provide a range of queries for you to use to check your devices. You can use them as they are, or you can edit them to change their behavior. You can also create queries.

Live Discover shows the results for each query that you run. It also shows telemetry data that shows how successful it has been in retrieving the results. You can export the results and telemetry data.

To start, select which devices to query.

Select devices to query

You need to select the computers and servers that Live Discover should query. To select devices, do as follows:

  1. In Live Discover, click the arrow to expand Device selector.

    Available devices shows all the computers and servers that are managed by Sophos Central.

    Selected devices shows the subset of available devices that you have chosen to query.

  2. Under Available devices, filter the devices that are shown. Click Apply.

    You don't have to enter an exact match and the filters aren't case sensitive.

  3. Select the devices that you want to query and click Update selected devices list.
  4. If you want to refine the list further you can filter the selected devices or deselect devices. To do this, click Selected devices, and do as follows:
    • Click Show filters. Filter the selected devices.
    • Deselect devices and click Update selected devices list.

Select query

To select a pre-prepared query, do as follows:

  1. In Live Discover, click the arrow to expand Query.
  2. Click the category that you want to use.
    The list of queries in that category is shown. Performance indicates the average effect the query had on each device’s performance based on the most recent usage. For example, a query that runs quickly, and generates little data has little impact and is rated Excellent.
  3. Filter or search the queries if you want to shorten the list.
  4. Click the query that you want to run.

The query is shown, including the supported operating systems, performance data, and the Osquery code for the query.

Edit or create a query

You can edit a query that you’ve selected to modify its behavior, if you want to, or you can create a new one.

The query is written in Osquery, which uses basic Structured Query Language (SQL) commands. You must be familiar with Osquery or SQL to edit the query.

To edit or create a query, do as follows:

  1. In Live Discover, expand Query.
    1. To edit a query, ensure that you have selected it. Then click Edit.
    2. To create a query, look at the list of query categories. Then click Create new query.
  2. Enter a new name for the query.
  3. Enter a category for the query, a description, and the operating systems on which it can run.
  4. In the SQL box, enter the changes that you want to make to the existing query or enter the new query.

    A query must contain at least 15 characters to run on the selected devices.

    For information about the tables and data available, see OSQuery reference.

  5. You can add a variable to the query and assign a value to it. You can then use the value, for example in a conditional statement. To do this, do as follows:
    1. Expand the variable editor.
    2. Click + Add variable.
    3. Enter a name for the variable.

      You can include spaces in the name but not dollar symbols.

    4. Specify the variable type and the value that you want to use when the query runs.
    5. In the SQL box, enter the SQL variable name, including the dollar symbols, where you want to use the variable.

    For example, if you enter File path for the variable name, SQL variable name becomes $$File path$$.

    Enter $$File path$$ in the SQL box:

    SELECT * FROM processes
    WHERE filepath = $$File path$$
  6. Click Save.
    The query is saved to the category that you specified.

Run query

To run a query, do as follows:

  1. ExpandQuery.
  2. Click Run query.
    The query results show below the query panel. These are the items that the query has discovered on each device. You can export the results to a CSV file.

    The telemetry shows below the query results. This is the data about how successful the query was in getting information from each device. For example, how long it took to get the information from each device.

When the query stops running, the full query results and telemetry data are available. You can click a device name in either list to view the device’s details page.

You can change the selected devices or edit the query while it is running.

Telemetry

Under Device Telemetry, you can see data about how successful the Live Discover query was in getting information from each device.

Click Progress to select which telemetry status types to show. The status indicates whether the query has completed and whether the device sent data back.

You can also see information about the performance of the query and the amount of data it generated.

Setting

Description

Performance

This indicates what effect the query had on the device’s performance. For example, a query that runs quickly and generates little data has little impact and is rated Excellent.

Data XFR

The amount of data that the query generated.

To export the content of the list to a CSV file, click Export.