Skip to content

NDR Query

NDR query lets you search the local database of Sophos NDR events. This feature is useful for troubleshooting.

Note

This database of NDR events is on the VM where your appliance runs. It isn't the same as the Sophos Data Lake.

Currently only predefined queries are available. In future, we'll make a schema available and you'll be able to write queries if you want to.

Run a query

To run a query, do as follows:

  1. Click NDR Query.

    NDR Query in left menu.

  2. On the Query page, click Example queries to see predefined queries.

  3. In the Example queries list, find the query you want to run. Click the Copy icon Copy. next to it.

  4. Paste the query into the text box and click the Go Go. icon.

  5. Review the results in the Query Results area.

    You can drag and drop columns to arrange them in the order that's best for you.