Professional Documents
Culture Documents
CE4530 4.0v1 Sophos Central XDR Live Discover Query Scheduling and Editing
CE4530 4.0v1 Sophos Central XDR Live Discover Query Scheduling and Editing
CE4530 4.0v1 Sophos Central XDR Live Discover Query Scheduling and Editing
[Additional Information]
December 2022
Version: 4.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
In this chapter you will learn how to select a Sophos canned query in Live Discover, edit it (if required),
and run the query.
You will also learn how to select and remove devices for an Endpoint Live Discover query, and how to
schedule a Data Lake query to run regularly.
Pre-defined or ‘canned’ queries are queries that have been written by Sophos and are available for use
without the need for editing. They are split into categories making it easy to locate queries.
To select a canned query in Live Discover, navigate to Threat Analysis Center > Live Discover. The
number in brackets indicates how many queries are available in the category.
Once the query category has been selected, a list of available queries in that category is displayed.
Here we can see queries that will return BitLocker info, Certificates, and CPU information.
It is possible to search for queries. A query search will return queries that match the search term from
all available categories, this is because the search will look for the search term in the last modified,
created by, performance, name, and description fields. It will also check the query categories and
return any that match the search term.
The results returned show the name, description and category of the query. It is worth noting the
‘Sources’ column, this will indicate which platforms the query is supported on. In this case only
Windows, Linux and macOS operating systems are supported.
View the name, supported OS, expected performance, data transfer and
execution time of the query
Once a query is selected you can view the name, description, supported operating system, and the
expected performance of the query.
Please note that you will only see the expected performance if the query has previously been run.
This table displays the expected performance based on execution time and the amount of data
returned.
It is worth noting that there is a watchdog service running. This service will terminate a query if that
query is using too much CPU or memory.
One or more devices must be selected before it is possible to run an Endpoint Live Discover query.
The query results are displayed and can be exported as a .csv file.
We do not expect you to know SQL in order to use Live Discover, however, the SQL used for any
selected query can be viewed by enabling ‘Designer Mode’. The SQL will display which data tables are
being returned. Additionally, in designer mode you can edit the query should this be required.
Editing a query.
We need more
information from
this query…
No problem! We
can edit this query.
The canned queries that are available may return some data required, however, further data from
devices could be needed.
This is where the option to edit a query becomes useful. To edit a query, you need to first enable
‘Designer Mode’. Once designer mode has been enabled, you will see the Edit option for a query.
service name, start type, path, status and user_account details from the
services table
The selected query will return the following data found in the services table for all devices it is run on;
Service Name, Start Type, Path, Status, and User_Account.
Select Edit to
edit a query
Looking at the schema table (having run the schema table query and exported it) there is more data in
the services table that could be returned.
For this example, the existing query will be edited to include the description of the service.
To add this additional element, select Edit in the ‘Query Selection’ section.
In the SQL field, the column name ‘description’ is added to the column data list. This is a list of the
data columns that will be returned from the services table.
You will need to re-name the query and then click Save to save the changes.
In this example, we did not amend the category of the query. Therefore, the new query we have
created can be found in the devices category and is listed alphabetically in the list of queries.
In the ‘Created by’ column you can view any edited or newly created queries as these will be listed as
your Sophos Central account name.
Selecting the edited query gives you the option to Delete or Edit the query.
The Sophos canned query provided the name of the services, however, for this example, more
information was required regarding what the services do. The canned query was edited, and the
‘description’ data column was added to the query.
When the edited query is run, you will see in the results that the description column is returned. You
can now view a description of each service that is installed on your protected devices.
Device selection.
To run an Endpoint Live Discover query you need to select the device or devices you wish to run the
query on.
Using filters you can refine your device list by online status, type, group, etc.
Select a device using the check box next to the device name. To select all devices, select the check box
next to the ‘Name’ column.
Once you have selected the device or devices click Update selected devices list to save the selection.
You will then see that the number of selected devices is amended.
To remove a device, un-tick the selection box next to the device and click Update selected devices list.
Scheduling queries.
Administrators can use scheduled queries to run regular reports based on the information available in
the Data Lake.
It is important to understand that it is only possible to schedule Data Lake queries as these can be run
on devices that are both online and offline.
[Additional Information]
A video showing the scheduled reports is available in Sophos Tech Videos here:
https://techvids.sophos.com/watch/P5WkjrUHsvAxMujH6zG5hL
It is simple to setup a scheduled query. Navigate to Threat Analysis Center > Live Discover and select a
Data Lake query.
Before you schedule a query, we recommend that you run the query first in order to confirm that the
data returned is what you want to see regularly and that the variables required are applied.
Once you have selected the query you will see the option to either Schedule Query or Run Query.
The query can now be scheduled. Change the name and add a description if required.
Determine the frequency of the scheduled query. In this example we have selected for the query to
run daily Monday to Friday and will run until the user cancels the schedule.
Please note that the query will be run at midnight in the time zone the administrator created it in. This
remains true even if the administrator later logs in from a different time zone.
Scheduled queries are viewed by navigating to Threat Analysis Center > Preferences > Scheduled
Queries.
Newly created scheduled queries will appear at the top of the query list. There is a limit to the number
of queries that can be scheduled, the ‘Activity Scheduled’ bar indicates how much space you have left.
The scheduled query list displays the frequency of the query along with the administrator who created
it and the schedule status. The actions option allows you to:
• View the query that is scheduled including the variables that are included
• Disable the schedule or edit the frequency of the scheduled query
• View the results of the query
Deleting a scheduled query will delete the schedule and all associated results
To delete a scheduled query, simply select the query you want to delete from the list and click Delete.
You will need to confirm you want to delete the query. Please note that when you delete a query it will
delete the schedule and all associated results.
True or False: To search for a query you must first select the required category.
True False
Canned queries are queries that have been written by Sophos. To edit a canned query, you must enable
‘Designer Mode’.
A query search will return queries that match the search term from all available categories.
Canned queries are queries that have been written by Sophos. To edit a canned query, you must
enable ‘Designer Mode’.
A query search will return queries that match the search term from all available categories.