Getting Started with

Sophos Central XDR

Live Discover

Sophos Central Endpoint and Server Protection

Version: 4.0v1

[Additional Information]

Sophos Central Endpoint and Server Protection

CE4525: Getting Started with Sophos Central XDR Live Discover

December 2022
Version: 4.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Getting Started with Sophos Central XDR Live Discover - 1

 Getting Started with Sophos Central XDR Live Discover
RECOMMENDED KNOWLEDGE AND EXPERIENCE
In this chapter you will learn
what Live Discover is, and how to ✓ What Sophos Central XDR is
✓ How to access and navigate Sophos Central
run Live Discover queries. ✓ How to protect and manage devices

DURATION 9 minutes

In this chapter you will learn what Live Discover is, and how to run Live Discover queries.

Getting Started with Sophos Central XDR Live Discover - 2

 Live Discover
Provides the ability to run remote queries across multiple devices on your network

Queries return live and historic data for up to 90 days of activity

Visibility into what is happening in your environment

Discovering risks before they result in a breach

Performing real-time threat investigations and security monitoring

Live Discover is a powerful search tool that provides the ability to run queries across multiple devices
on your network. Queries can return live and historic data for up to 90 days of activity providing IT
insight, advanced threat hunting as well as visibility into what is happening in your environment. Live
Discover can be used to discover risks before they result in breaches and for performing real-time
threat investigations and security monitoring.

Getting Started with Sophos Central XDR Live Discover - 3

 Live Discover

Windows

MacOS

Linux

Mobile

Live Discover is based on OSQuery (an open source project) and leverages SQL query.

You can run a remote query for simple queries such as when was a device last patched. You can also
ask more complex queries that return the standard deviation and variants of network communications
of a device over a specific time period looking for anomalies.

Live Discover is supported on Windows, macOS and Linux operating systems. Please note that these
operating systems have different schemas, therefore some pre-defined queries may only be available
for specific operating systems.

Getting Started with Sophos Central XDR Live Discover - 4

 Query Selection

Expand or minimize sections

The menu items in Live Discover can be expanded or minimized. Here we can see the ‘Query’ section
is minimized and the ‘Device selector’ section is expanded.

Getting Started with Sophos Central XDR Live Discover - 5

 Query Selection

Pre-defined or ‘canned’ queries are provided by Sophos, and over time additional queries will be
added. These are queries that are available for use without the need for editing. For example, you can
run a canned query that will list all registry keys that have been modified in the last 3 days.

Sophos’ canned queries are assigned to one or more categories using a tagging mechanism. You can
view all queries that are available in the ‘All Queries’ category. You can also view any recent queries
you have used. All other categories are listed alphabetically and include categories such as device,
events, hunting and forensics, and network activity.

Getting Started with Sophos Central XDR Live Discover - 6

 Query Selection

Searches will return queries from all

categories

You can search for queries and all searches return matching queries from all categories. The list
returned will display the query name, description, and category of each available query.

The sources column indicates which operating system the query is supported by and, where necessary,
also indicates if it is a Data Lake or Endpoint query. The system impact will only be listed for those
queries already run. The created by column indicates who created the query. All canned queries are
indicated with the Sophos ‘S’ icon.

Getting Started with Sophos Central XDR Live Discover - 7

 Query Selection

Run new queries on a single device to test

system impact

Once you select a query to run, the expected device impact is displayed. As we mentioned, any query
that has not been run in your environment will have no expected system impact. We recommend
running a new query on a single device to determine the system impact of running the query.

Getting Started with Sophos Central XDR Live Discover - 8

 Device Selector

To run an Endpoint Live Discover query, you must select at least one device.

Online devices are automatically displayed, however, you can filter the list to display offline devices,
specific device groups, only Windows devices, and more to suit your needs. You can select one or
more devices to run the query against.

Once you have selected the devices click Update selected device list. If you need to remove devices,
click the tick box to de-select them from the list and click Update selected device list. The number of
devices will be updated.

Getting Started with Sophos Central XDR Live Discover - 9

 Run a Query

For an Endpoint Live Discover query, once at least one device is selected, the Run Query option is
displayed.

When you run a query for the first time, you may see a warning message. This is to notify you that the
query you are about to run is untested in your environment.

There is minimal impact of running a query on your devices, and you can run a query across thousands
of devices. Up to one hundred thousand rows of response data can be returned.

Getting Started with Sophos Central XDR Live Discover - 10

 Query Results

The columns returned are determined by the data tables

included in the query

The table schema query will list all the data tables
available

Queries are written to pull information from data tables that are populated with your device
information.

The query ‘table schema’ provides a list of all the data tables that can be included in queries. If a
canned query does not provide you with the data you want, you can choose to edit an existing query
or create your own.

Getting Started with Sophos Central XDR Live Discover - 11

 Query Results

You can export the returned data

The ellipsis indicates that further actions can be taken

based on the data returned in the query

The information requested in the query will be collected, joined and presented to you as a result set of
data.

You can choose to export the data returned, allowing you to interrogate the data using a tool of your
choice. You can also use available pivoting options to perform further actions. If pivoting options are
available for data, an ellipses menu is displayed.

Getting Started with Sophos Central XDR Live Discover - 12

 Query Results

Clicking the ellipsis will display the available actions for the data.

The queries section lists the available Data Lake and Live Discover queries that can use the data. These
are known as pivot queries as they take the data returned and pivot it to run a new query.

The enrichments section provides links to third party websites that can be used to look up information
about potential threats and tools.

The actions section includes available actions for further investigation or remediation. In the example
you can select to either scan the device or start a Live Response session to that device.

Getting Started with Sophos Central XDR Live Discover - 13

 Query Results

In the device telemetry section, you can view which devices have responded to your query. If the
query has completed successfully, and if there was no data in the available table(s) the ‘Complete, no
data sent’ flag will be set. The table displays the following information:

• The status column which indicates whether the query finished and whether the device sent results.
You can filter the device list according to device status
• The system Impact column which displays the query performance. A query that runs very quickly
and generates little data is returned as having the smallest impact
• The data XFR column which displays the amount of data the query generated

Getting Started with Sophos Central XDR Live Discover - 14

 Query Results

Complete, data sent The query completed successfully, and data has been returned

Complete, no data sent The query completed successfully, however, there was no data to return

Complete, errors The query completed successfully, however, one or more devices have errors

Not responded yet The query has been run, however, the device(s) have not responded

The data in the telemetry section is split into four categories:

• Complete, data sent: The query completed successfully, and data has been returned
• Complete, no data sent: The query completed successfully, however, there was no data to return
• Complete, errors: The query completed successfully, however one or more devices returned errors
• Not responded yet: the query has been sent, however, the devices have not responded to the query

Getting Started with Sophos Central XDR Live Discover - 15

 Audit Log

Live Discover queries are logged in the audit Log

For any Live Discover query run, a log of that query is included in the Audit log. You can access the
audit log by navigating to Logs & Reports > Audit Logs.

In the Audit log, Live Discover queries are listed as Live Discover in the item type field. The date, time,
user and query name are recorded in the report. Along with the IP address of the device that ran the
query.

Getting Started with Sophos Central XDR Live Discover - 16

 Knowledge Check

Take a moment to check your knowledge!

Getting Started with Sophos Central XDR Live Discover - 17

Question 1 of 3
You have selected devices for an Endpoint Live Discover query. The Run Query button is not available. Which of the
following could be a solution for this issue?

Reduce the number of Check the device operating

devices selected system is supported

Confirm that you want to Click the Update selected

run the untested query device list button

Getting Started with Sophos Central XDR Live Discover - 18

Question 2 of 3

What is the maximum number of days that an Endpoint Live Discover query can return data for?

___________

Getting Started with Sophos Central XDR Live Discover - 20

Question 3 of 3

Where would you click to view the available pivoting options in this query result?

B A C D

A B

C D

Getting Started with Sophos Central XDR Live Discover - 22

 Chapter Review

Live Discover provides the ability to run queries across multiple devices on your network.

Any Endpoint Live Discover query will return live and historic data from the past 90 days of activity.

Live Discover queries can be run to return data from macOS, Windows and Linux devices.

Here are the three main things you learned in this chapter.

Live Discover provides the ability to run queries across multiple devices on your network.

Any Endpoint Live Discover query will return live and historic data from the past 90 days of activity.

Live Discover queries can be run to return data from macOS, Windows and Linux devices.

Getting Started with Sophos Central XDR Live Discover - 24

Getting Started with Sophos Central XDR Live Discover - 25