Sophos Central XDR

Live Discover Query

Scheduling and Editing

Sophos Central Endpoint and Server Protection

Version: 4.0v1

[Additional Information]

Sophos Central Endpoint and Server Protection

CE4530: Sophos Central XDR Live Discover Query Scheduling and Editing

December 2022
Version: 4.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Sophos Central XDR Live Discover Query Scheduling and Editing - 1

 Sophos Central XDR Live Discover Query Scheduling and Editing
RECOMMENDED KNOWLEDGE AND EXPERIENCE
In this chapter you will learn how
to select a Sophos canned query ✓ What Sophos XDR is
✓ How to run an Endpoint Live Discover query
in Live Discover, edit it (if ✓ What the Sophos Data Lake is and how to run Data
required) and run the query. Lake queries

You will also learn how to select

and remove the devices for an
Endpoint Live Discover query,
how to schedule a Data Lake
query to run regularly.
DURATION 10 minutes

In this chapter you will learn how to select a Sophos canned query in Live Discover, edit it (if required),
and run the query.

You will also learn how to select and remove devices for an Endpoint Live Discover query, and how to
schedule a Data Lake query to run regularly.

Sophos Central XDR Live Discover Query Scheduling and Editing - 2

 Selecting a Canned Query

Selecting a canned query.

Sophos Central XDR Live Discover Query Scheduling and Editing - 3

 Selecting a Canned Query

Canned queries are categorized by Sophos

Pre-defined or ‘canned’ queries are queries that have been written by Sophos and are available for use
without the need for editing. They are split into categories making it easy to locate queries.

To select a canned query in Live Discover, navigate to Threat Analysis Center > Live Discover. The
number in brackets indicates how many queries are available in the category.

Sophos Central XDR Live Discover Query Scheduling and Editing - 4

 Selecting a Canned Query
A list of available queries in the
selected category is listed

Once the query category has been selected, a list of available queries in that category is displayed.

Here we can see queries that will return BitLocker info, Certificates, and CPU information.

Sophos Central XDR Live Discover Query Scheduling and Editing - 5

 Searching for a Canned Query

The supported operating systems

It is possible to search for queries. A query search will return queries that match the search term from
all available categories, this is because the search will look for the search term in the last modified,
created by, performance, name, and description fields. It will also check the query categories and
return any that match the search term.

The results returned show the name, description and category of the query. It is worth noting the
‘Sources’ column, this will indicate which platforms the query is supported on. In this case only
Windows, Linux and macOS operating systems are supported.

Sophos Central XDR Live Discover Query Scheduling and Editing - 6

 Viewing the Selected Query

View the name, supported OS, expected performance, data transfer and
execution time of the query

Once a query is selected you can view the name, description, supported operating system, and the
expected performance of the query.

Please note that you will only see the expected performance if the query has previously been run.

Sophos Central XDR Live Discover Query Scheduling and Editing - 7

 Expected Performance

Amount of data returned + Execution time = Expected performance

AGGRAGATE EXECUTION TIME EXECUTION TIME EXECUTION TIME EXUCTION TIME

PERFORMANCE 0-5s 5-30s >30-120s >120s

0-1Kb EXCELLENT GOOD FAIR POOR

>1-5Kb GOOD GOOD FAIR POOR

>5-10Kb FAIR FAIR FAIR POOR

>10Kb POOR POOR POOR POOR

The expected performance of a query is evaluated on two values;

• The amount of data returned

• The execution time on the endpoint

This table displays the expected performance based on execution time and the amount of data
returned.

It is worth noting that there is a watchdog service running. This service will terminate a query if that
query is using too much CPU or memory.

Sophos Central XDR Live Discover Query Scheduling and Editing - 8

 Run the Selected Query

One or more devices must be selected before it is possible to run an Endpoint Live Discover query.

Sophos Central XDR Live Discover Query Scheduling and Editing - 9

 Export the Query Results

The query results are displayed and can be exported as a .csv file.

Sophos Central XDR Live Discover Query Scheduling and Editing - 10

 Viewing the Selected Query

Enable Designer Mode to view the

SQL for a query

We do not expect you to know SQL in order to use Live Discover, however, the SQL used for any
selected query can be viewed by enabling ‘Designer Mode’. The SQL will display which data tables are
being returned. Additionally, in designer mode you can edit the query should this be required.

Sophos Central XDR Live Discover Query Scheduling and Editing - 11

 Editing A Query

Editing a query.

Sophos Central XDR Live Discover Query Scheduling and Editing - 12

 How to Edit an Existing Query

We need more
information from
this query…

No problem! We
can edit this query.

The canned queries that are available may return some data required, however, further data from
devices could be needed.

This is where the option to edit a query becomes useful. To edit a query, you need to first enable
‘Designer Mode’. Once designer mode has been enabled, you will see the Edit option for a query.

Sophos Central XDR Live Discover Query Scheduling and Editing - 13

 Editing a Query – What is the Query Asking?

Currently, this query will return the:

service name, start type, path, status and user_account details from the
services table

Let’s look at an example.

The selected query will return the following data found in the services table for all devices it is run on;
Service Name, Start Type, Path, Status, and User_Account.

Sophos Central XDR Live Discover Query Scheduling and Editing - 14

 Editing a Query

Select Edit to
edit a query

The services table has more data columns

available

Looking at the schema table (having run the schema table query and exported it) there is more data in
the services table that could be returned.

For this example, the existing query will be edited to include the description of the service.

To add this additional element, select Edit in the ‘Query Selection’ section.

Sophos Central XDR Live Discover Query Scheduling and Editing - 15

 Editing a Query

Re-name the query Edit the SQL command.

The query is re-named so that it can be saved as a new query.

In the SQL field, the column name ‘description’ is added to the column data list. This is a list of the
data columns that will be returned from the services table.

You will need to re-name the query and then click Save to save the changes.

Sophos Central XDR Live Discover Query Scheduling and Editing - 16

 Editing a Query

In this example, we did not amend the category of the query. Therefore, the new query we have
created can be found in the devices category and is listed alphabetically in the list of queries.

In the ‘Created by’ column you can view any edited or newly created queries as these will be listed as
your Sophos Central account name.

Sophos Central XDR Live Discover Query Scheduling and Editing - 17

 Editing a Query

Canned queries created by Sophos cannot be deleted

Selecting the edited query gives you the option to Delete or Edit the query.

Please note that canned queries created by Sophos cannot be deleted.

Sophos Central XDR Live Discover Query Scheduling and Editing - 18

 Editing a Query
The edited query has been run and returns the
additional data added to the SQL command

The Sophos canned query provided the name of the services, however, for this example, more
information was required regarding what the services do. The canned query was edited, and the
‘description’ data column was added to the query.

When the edited query is run, you will see in the results that the description column is returned. You
can now view a description of each service that is installed on your protected devices.

Sophos Central XDR Live Discover Query Scheduling and Editing - 19

 Device Selection

Device selection.

Sophos Central XDR Live Discover Query Scheduling and Editing - 20

 Device Selection

To run an Endpoint Live Discover query you need to select the device or devices you wish to run the
query on.

Using filters you can refine your device list by online status, type, group, etc.

Sophos Central XDR Live Discover Query Scheduling and Editing - 21

 Device Selection

Select single devices

Select ALL devices

Select a device using the check box next to the device name. To select all devices, select the check box
next to the ‘Name’ column.

Sophos Central XDR Live Discover Query Scheduling and Editing - 22

 Device Selection

Once you have selected the device or devices click Update selected devices list to save the selection.

Sophos Central XDR Live Discover Query Scheduling and Editing - 23

 Device Selection

You will then see that the number of selected devices is amended.

Sophos Central XDR Live Discover Query Scheduling and Editing - 24

 Remove a Device

To remove a device, un-tick the selection box next to the device and click Update selected devices list.

Sophos Central XDR Live Discover Query Scheduling and Editing - 25

 Scheduling Queries

Scheduling queries.

Sophos Central XDR Live Discover Query Scheduling and Editing - 26

 Additional information in
the notes
Scheduled Queries

Create scheduled queries to run regularly

Only Data Lake queries can be scheduled

Administrators can use scheduled queries to run regular reports based on the information available in
the Data Lake.

It is important to understand that it is only possible to schedule Data Lake queries as these can be run
on devices that are both online and offline.

[Additional Information]
A video showing the scheduled reports is available in Sophos Tech Videos here:
https://techvids.sophos.com/watch/P5WkjrUHsvAxMujH6zG5hL

Sophos Central XDR Live Discover Query Scheduling and Editing - 27

 How to Schedule a Query

Select the option to Schedule Query

It is simple to setup a scheduled query. Navigate to Threat Analysis Center > Live Discover and select a
Data Lake query.

Before you schedule a query, we recommend that you run the query first in order to confirm that the
data returned is what you want to see regularly and that the variables required are applied.

Once you have selected the query you will see the option to either Schedule Query or Run Query.

Click Schedule Query.

Sophos Central XDR Live Discover Query Scheduling and Editing - 28

 How to Schedule a Query

The query can now be scheduled. Change the name and add a description if required.

Determine the frequency of the scheduled query. In this example we have selected for the query to
run daily Monday to Friday and will run until the user cancels the schedule.

Please note that the query will be run at midnight in the time zone the administrator created it in. This
remains true even if the administrator later logs in from a different time zone.

Click Create Scheduled Query.

Sophos Central XDR Live Discover Query Scheduling and Editing - 29

 Viewing Scheduled Queries

View how much space you have left

for scheduled queries

View your scheduled queries

Scheduled queries are viewed by navigating to Threat Analysis Center > Preferences > Scheduled
Queries.

Newly created scheduled queries will appear at the top of the query list. There is a limit to the number
of queries that can be scheduled, the ‘Activity Scheduled’ bar indicates how much space you have left.

Sophos Central XDR Live Discover Query Scheduling and Editing - 30

 Viewing Scheduled Queries

The scheduled query list displays the frequency of the query along with the administrator who created
it and the schedule status. The actions option allows you to:

• View the query that is scheduled including the variables that are included
• Disable the schedule or edit the frequency of the scheduled query
• View the results of the query

Sophos Central XDR Live Discover Query Scheduling and Editing - 31

 How to Delete a Scheduled Query

Deleting a scheduled query will delete the schedule and all associated results

To delete a scheduled query, simply select the query you want to delete from the list and click Delete.

You will need to confirm you want to delete the query. Please note that when you delete a query it will
delete the schedule and all associated results.

Sophos Central XDR Live Discover Query Scheduling and Editing - 32

 Knowledge Check

Take a moment to check your knowledge!

Sophos Central XDR Live Discover Query Scheduling and Editing - 33

Question 1 of 2

True or False: To search for a query you must first select the required category.

True False

Sophos Central XDR Live Discover Query Scheduling and Editing - 34

Question 2 of 2

Which of these queries can be scheduled?

All Queries Endpoint Queries

Data Lake Queries

Sophos Central XDR Live Discover Query Scheduling and Editing - 36

 Chapter Review

Canned queries are queries that have been written by Sophos. To edit a canned query, you must enable
‘Designer Mode’.

A query search will return queries that match the search term from all available categories.

Only Data Lake queries can be scheduled

Here are the main things you learned in this chapter.

Canned queries are queries that have been written by Sophos. To edit a canned query, you must
enable ‘Designer Mode’.

A query search will return queries that match the search term from all available categories.

Only Data Lake queries can be scheduled.

Sophos Central XDR Live Discover Query Scheduling and Editing - 38

Sophos Central XDR Live Discover Query Scheduling and Editing - 39