Sophos XDR gives you access to both data stored in the cloud and directly on the device. Which means you always have the most up-to-date data possible.
Customers get 30 days of cloud storage in the Sophos Data Lake, in addition to up to 90 days of data that is stored directly on the device for real-time and historical searches. So even if a device is offline you can still access its critical data to investigate suspicious activity.
The article will guide you how to custom query Bitlocker information after deploying Sophos Device Encryption on Endpoints.
Step 1: Custom Query Bitlocker Info.
With Sophos XDR, there is already a query about bitlocker info available for you to query, but you can still customize this query to get more detailed information.
To learn more about new queries you can join the following forum: https://community.sophos.com/intercept-x-endpoint/p/query-forum
Login Sophos Central Admin > Threat Analysis Center > Live Discover > EndpointQueries.
Here you can see the queries built-in by Sophos, with query category such as Device, Network, etc. You just need to select the query type, select the endpoint will be query and check the returned results.
To custom query, select Enable Designer Mode > Create new query.
Next, fill in the following information:
- Query Name: Name the query
- Category: Select the query category
- Enter in the description if you want.
Scroll down and select Live Endpoint > Windows.
SQL: You enter the query code for get bitlocker information.
SELECT device_id,drive_letter,percentage_encrypted, encryption_method, version, persistent_volume_id,
WHEN 1 THEN ‘Fully Encrypted’
WHEN 2 THEN ‘Encryption In Progress’
WHEN 3 THEN ‘Decryption In Progress’
WHEN 4 THEN ‘Encryption Paused’
WHEN 5 THEN ‘Decryption Paused’
ELSE ‘Fully Decrypted’
WHEN 0 THEN ‘Protection Off’
WHEN 1 THEN ‘Protection On’
WHEN 0 THEN ‘Unlocked’
WHEN 1 THEN ‘Locked’
Step 2: Select Endpoint Query
Next, you select the Endpoints will be query or select all endpoints. Then click Run Query.
Continue click Run Query.
You wait for the Query to finish running on the Endpoint with the status “Finish – OK”.
Step 3: Check the results.
The results table shows which drives are on the endpoints.
and Protection _status is OFF, which means that this endpoint has not installed Sophos Device Encryption. And Protection _status is ON, the endpoint has installed Sophos Device Encryption with Full Encrypted C drive.