Skip to content

Live Discover

Live Discover allows you to check the devices that Sophos Central is managing, look for signs of a threat, or assess compliance.

You can use Live Discover queries to search devices for signs of threats that haven’t been detected by other Sophos features. For example:

  • Unusual changes to the registry.
  • Failed authentications.
  • A process running that is very rarely run.

You can also search devices for signs of a suspected or known threat if Sophos Central has found the threat elsewhere, or if a user reports suspicious behavior on their device.

You can also check the compliance of each device. For example, you can search for out-of-date software or browsers with insecure settings.

This page tells you how to use Live Discover. You can also familiarize yourself with it by completing the Sophos XDR Training.

How queries work

We provide a range of queries for you to use to check your devices. You can use them as they are, or edit them (you'll need to be familiar with osquery or SQL). You can also create queries.

You can run queries to get information from different sources:

  • Endpoint queries get the latest information from devices that are currently connected.
  • Data Lake queries get information from a Data Lake that devices upload their data to regularly. They can also get information from other Sophos products you have set up to send data to the Data Lake, for example Sophos Cloud Optix or Sophos Email. See Data Lake queries.
  • Data Lake queries can also get information from third-party sources. You can add Microsoft 365 audit logs and we are adding more data sources.

To get started, check that you can get data from the resources you want to query. To find out how to get data from devices follow the instructions below.

To find out how to get data from Sophos Cloud Optix and Microsoft 365 audit logs, see Data Lake uploads.

Then set up and run queries as described in the later sections.

Get data from devices

If you want to use Data Lake queries, you must enable your devices to upload data to the Data Lake.

To set up your devices to upload data, do as follows.

  1. Go to Overview > Global Settings.
  2. Under Endpoint Protection (or Server Protection for servers), click Data Lake uploads.
  3. Turn on Upload to the Data Lake.

For more information, see Data Lake uploads.

Requirements for Sophos Mobile

If you want to use Data Lake queries on data from your mobile devices, you need a Mobile Advanced or Intercept X for Mobile license in Sophos Central, and an Intercept X license that includes Sophos XDR.

To set up your mobile devices to upload data, do as follows.

  1. Go to Overview > Global Settings.
  2. Under Mobile, click Data Lake uploads.
  3. Turn on Upload to the Data Lake.

For more information, see Data Lake uploads.

Select query

To select a pre-prepared query, do as follows:

  1. Go to Overview > Threat Analysis Center and click Live Discover.

    Screenshot of Live Discover in Central Admin menu

  2. In Live Discover, open the Query section (if it isn't already open).

    Designer Mode lets you edit or create queries. You don't need to turn it on if you're using our pre-prepared queries.

    Screenshot of Live Discover page

  3. By default, you see the All Queries tab. If you prefer, click the tab for the type of query you want:

    • Endpoint Queries. These get the latest data from connected endpoints.
    • Data Lake queries. These get data from a Data Lake that endpoints upload their data to regularly. You see the Categories that are available.

    Screenshot of query categories

  4. Click the category that you want to use. This shows you a list of the queries in that category.

    System Impact indicates the effect the query has on device performance based on recent usage.

    Screenshot of queries list

  5. Filter or search the queries if you want to shorten the list.

  6. Click the query that you want to run. This displays the query details, including supported operating systems and performance data.

    Screenshot of a selected query

  7. Optional: If you selected a Data Lake query, click the arrow to open Select a Time Period and select a period to query. The default is the past 7 days.

    This option isn't a schedule. It specifies how much past data the query runs on, not how often it runs.

    You can use this option to avoid generating too much data.

    Some queries, including endpoint queries, also let you specify a time period in their variables (for example, queries run on event journals).

    Time period selector

If you selected an endpoint query, select the devices to query.

If you selected a Data Lake query, you're ready to run or schedule the query. See "Run a query".

Select devices to query

If you selected an endpoint query, select the devices that you want to query.

If you selected a Data Lake query, all devices are always included. Skip this section.

  1. In Live Discover, open Device selector.

    Available devices shows all the computers and servers that are managed by Sophos Central.

    Screenshot of device selector

  2. Under Available devices, filter the devices that are shown. For example, you might want to query devices with a particular operating system. Click Apply.

    You don't have to enter an exact match and the filters aren't case sensitive.

    Screenshot of filters

  3. Select the devices that you want to query and click Update selected devices list.

    This adds the devices to a list on the Selected devices tab, where you can manage them easily.

    Screenshot of selected devices

  4. Optional: If you want to refine the list further you can filter the selected devices or deselect devices. To do this, click Selected devices, and do as follows:

    • Click Show filters. Filter the selected devices.
    • Deselect devices and click Update selected devices list.

Run query

When you've finished setting up a query, you can run it.

You can run up to four queries on devices at the same time.

Note

You can change the selected devices or edit the query while it is running.

To run a query, do as follows.

  1. At the bottom of the Live Discover page, click Run Query.

    Screenshot of Run query button

  2. If you haven't run the query before, a message recommends that you run it on one device to test it. Go back to edit your selected devices or click Run Query to go ahead.

    Screenshot of untested query warning

  3. When the query stops running, you see the query results panel. This shows:

    • Items found for each device.
    • New queries or actions you can base on items in the results. Click an ellipsis icon Ellipsis icon to see the options.
    • Device telemetry (beneath the results). This is information about the query's speed and how much data it generates. See “Live Discover telemetry”.

    Screenshot of query results

    You’ll see a Sophos PID for processes. This is a unique process ID. We never reuse it, so queries based on it don’t get unwanted results on older processes.

You can schedule some queries to run at set times (Data Lake queries only). See Scheduled queries.

To do further analysis, you can run queries based on the results. See “Use pivot queries, enrichments and actions.”

Use pivot queries, enrichments, and actions

You can use your query results as a basis for additional queries that home in on potential threats.

In the results table, you’ll see an ellipsis icon next to some items. Screenshot of ellipsis icon

Click the icon to see actions that are available:

  • Queries. These "pivot queries" let you quickly run a new query based on the item selected. For an example of how to use them, see “Pivot queries”.
  • Enrichments. These open third-party websites like VirusTotal or IP Abuse DB to look up information about a potential threat you've found.
  • Actions. These offer further detection or remediation. For example, you can raise a threat graph to get in-depth analysis of an incident, or start Live Response to access and investigate a computer.

You can customize some pivot settings. See Enrichments.

Back to top