Sophos XDR: How to query Device Activity on Endpoint with Live Discover.


Live Discover allows administrators to gain visibility into their environment and get immediate answers to any pressing question. It allows direct access to a device to understand its current running status and historic activity.

Live Discover is based on osquery, an open-source project that allows administrators to understand the current running status of a device. It leverages SQL queries to ask those questions of the device.

This article will guide you how to query to get device information such as running operating system version, device’s IP, MAC address, drives, disk space, and available disk space, percentage of disk, RAM, CPU, … installed Sophos Endpoint in the network.

2. Instructions.

Step 1: Create new query

You log in to Sophos Central Admin > Threat Analysis Center > Live Discover.

Here Sophos has provided categories (Device, File, Event, …) available for users to use to query information on workstations and servers. In addition to the available categories, Sophos also allows you to customize the queries to your liking.

Click to enable Designer Mode > click Create New Query.

Query name: Enter name the query you want to create.

Example: Device Activity (Multiple queries in one)

Category: select a category for this query. Ex: Device

Soucre: click Live Endpoint (select Window/Mac/Linux).

SQL: You enter the query code you want to find information.

For example: You can visit this link to get the query code.


Step 2: Select Device to query.

In the Device Selector section, click the triangle icon. Click on the endpoints you need to query for information.

Select Run Query.

If this message appears. Continue to click Run Query.

You wait for the query to get information on the device to complete.

Step 3: Check query results

After the query, you will have information about the device such as: Version of the operating system running, the device’s IP, MAC address, Drives, disk space, how much free space the drive has. percent, RAM, CPU, recent reboot time.

There are also user activities such as using cmd, onedrive, ..

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.