Sophos XDR: How to query check all vulnerable on Windows workstations and servers

Overview

Sophos Extended Detection and Response (XDR) lets you investigate detected threats (“threat cases”) and search for new threats or security weaknesses. It also lets you monitor devices and fix issues remotely. Sophos XDR gives you access to both data stored in the cloud and directly on the device. Which means you always have the most up-to-date data possible.

The article guides us to use the Live Discover tool of Sophos CIXA with EDR to be able to query all vulnerable on Windows workstations and servers. That helps to reduce the time for administrators having to go down to each machine to check

Diagram

How to configure

Step 1: Create Custom Query

  • Login to Sophos Central Admin -> Choose Threat Analysis Center -> Choose Live Discover -> Enable Designer mode -> Click Create new query
  • Enter name for query
  • In Category: Choose category which you want to add query
  • In Source: Choose Live Endpoint and choose OS (some queries will not support the OS you choose) -> Check more information in Sophos Community
  • In SQL: Enter query code

WITH program_list AS (
SELECT
REPLACE(REPLACE(REPLACE(name,’,’,’ ‘),’+’,’ ‘),’.’,’ ‘) name, — STRIP out some characters not normally found in product names to improve chances of finding it in the CSV DB
version,
REPLACE(REPLACE(REPLACE(publisher,’,’,’ ‘),’+’,’ ‘),’.’,’ ‘) publisher
FROM programs
WHERE version > ”
)
/\ | We will search for the Publisher, Product Name and version and use some wild cards ‘%” after we | | create a simple one word name for the publisher and product. The expectation is that these three | | pices of information should be relativly unique, but we can still get FPs | **/
SELECT
publisher,
CAST(name AS TEXT) || ‘ ‘ || version Application,
url ‘Identified CVE List’
FROM program_list
JOIN curl ON
url = ‘https://www.cvedetails.com/version-search.php?vendor=’
|| replace(program_list.publisher, ltrim(program_list.publisher, replace(program_list.publisher, ‘ ‘, ”)), ”)
|| ‘%&product=’
|| replace(program_list.name, ltrim(program_list.name, replace(program_list.name, ‘ ‘, ”)), ”)
|| ‘%&version=’
|| program_list.version
WHERE result
LIKE ‘%Details for%’;

  • Click Save

Step 2: Test Query

  • Choose Query which was created before
  • In Device selector: Choose computers you want to query
  • Click Run Query

Step 3: Check the result

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.