Sophos Endpoint With XDR Live Discovery

1 Overview

Sophos Endpoint is one of the key security products of Sophos that has the ability to work similar to antivirus software, in addition to the main security features, the endpoint also helps provide tools to control and manage human machines. use. In which Live Discovery is one of the useful features of Sophos Endpoint. Today, thegioifirewall will introduce you to the main feature as well as a guide to using Live Discovery, one of the new features that has been released and is being used more and more recently.

Live Discovery is a feature in the Sophos Endpoint search and management tools family. Allows you to manage your devices through Sophos central. Live Discovery provides the ability to find information, as well as identify early signs and potential threats of insecurity in the network.

2 How it works

The client machines that install the endpoint will be centrally managed on Sophos Central. Live Discovery provides available query libraries, you just need to select the information you need and Run Query to get the data of the machine to be searched. In addition, you can customize the Query according to the purpose. Live Discovery uses Osquery or SQL with a variety of scripts.

When using Live Discovery you have the option of querying information from:

-Endpoint query: query directly from computers that are currently online

-Data lake query: clients will send their information to the Data lake and when you run the query, Live Discovery will get information from that Data lake. This makes it possible to query the information of the user’s machine even when they are offline.

In this part, thegioifirewall will guide you how to use Live Discovery to query information directly from Endpoint. To perform query and upload information using Data lake. You can refer to the following link: Click

3 User manual

Go to the Live Discovery section to access

Overview > Threat Analysis Center select Live Discover.

Designer Mode to customize your query. Here we only use the available queries, so we should disable

In the Query section, we see a group of built-in queries. Select All queries to see all available queries

Go to the Search box to filter the query with the keyword you want to find. We can see the information as well as the operating system version to choose the appropriate query

Select the device to query. If you query in Data lake, you do not need to select this item. After selecting, click Update selected devices list

Click Run query to run the query on the selected machines. We can run 4 queries at the same time on 1 device. The time to get information depends on the number of machines in the system as well as the amount of information to be queried

After the results are available, the following information will be displayed.

In addition to viewing CPU information, we can view hard drive information, open network ports, running processes …

So you have successfully obtained cpu information of the 2 selected PCs.

4 Check log

Access Logs & Reports

At General Logs, click Audit Logs

Information about the Discovery command is displayed as follows. We can see the person who made the query, query id and related information

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.