1 Overview
Sophos Endpoint is an antivirus software suite that provides tools to protect and manage user machines. In which Live Discovery is one of the useful features of Sophos Endpoint. Today, thegioifirewall will guide you to use Live Discovery to see the free hard drive space of the machines and check which machines in the network are open port 3389.
2 Step to take
Access Live Discovery
Overview > Threat Analysis Center select Live Discover.
2.1 View the free space of the user’s hard drive
We enable Designer mode and click Create new query
Name the query to save for later use. Select category as device. Select query mode from live endpoint
Enter the query in the SQL box. The query command I will leave at the end of the article.
Select the machine you want to query. Here we choose 2 devices
Click Run Query and see the results
We get the results of the free space of the hard drive.
The device telemetry line shows the results of the query commands: here the query completed 2 and no errors occurred
2.2 Check the machines are open port 3389
We proceed to create a new query like item 2.1
Enter the following SQL and Run Query to see the results
As a result, we have seen which machine has port 3389 open. You can click on that PC and select Isolate to isolate the pc from the network.
This is the end of the article, the SQL commands in my post are in the section below. Good luck with your demo.
3 Commands used in the article
3.1 Osquery check remaining hard disk percentage
SELECT
device_id Drive,
description,
boot_partition,
file_system,
printf(“%.2f”, (CAST (free_space AS FLOAT)/CAST(size AS FLOAT) ) * 100.0 ) || ‘%’ Percent_Free,
printf(“%.2f”, CAST(free_space AS FLOAT)/1024.0/1024.0/1024.0) ‘Free_Space(GB)’,
printf(“%.2f”, CAST(size AS FLOAT)/1024.0/1024.0/1024.0) ‘Size(GB)’,
type
FROM
logical_drives;
3.2 Osquery checks if the device is open 3389
SELECT
lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline
FROM listening_ports lp
JOIN processes p
ON lp.pid = p.pid
WHERE lp.port = 3389
Leave a Reply