Live Discover allows administrators to gain visibility into their environment and get immediate answers to any pressing question. It allows direct access to a device to understand its current running status and historic activity.
Live Discover is based on osquery, an open-source project that allows administrators to understand the current running status of a device. It leverages SQL queries to ask those questions of the device.
This article will guide how you to query to get information by file type (.docx, .exe, .zip, …) in specific folders on the endpoint.
Step 1: Create a new query.
You log in to Sophos Central Admin > Threat Analysis Center > Live Discover.
Here Sophos has provided categories (Device, File, Event, …) available for users to use to query information on workstations and servers. In addition to the available categories, Sophos also allows you to customize the queries to your liking.
Click to enable Designer Mode > click Create New Query.
Query name: Enter name the query you want to create.
Example: Search subfolders for a specific filename or extension
Category: select a category for this query. Ex: File
Soucre: click Live Endpoint (select Window/Mac/Linux)
SQL: You enter the query code you want to find information.
Example: Search for files ending in .exe on Endpoint’s desktop
WHERE directory LIKE ‘C:\users\%\desktop%%’ AND filename LIKE ‘%%.exe’
Step 2: Select Device to query.
In the Device Selector section, click the triangle icon. Click on the endpoints you need to query for information.
Select Run Query.
If this message appears. Continue to click Run Query.
You wait for the query to get information on the device to complete.
Step 3: Check query results
After the query, you will have information about the .exe files on the selected endpoints.
You can change the file type in the “LIKE ‘%%.zip” code and the search path will change to the “downloads” folder.
Or change the file type .pdf