Sophos XDR: How to Run Query Check Service Running or Stopped on Endpoint.


Sophos Extended Detection and Response (XDR) lets you investigate detected threats (“threat cases”) and search for new threats or security weaknesses. It also lets you monitor devices and fix issues remotely. Sophos XDR gives you access to both data stored in the cloud and directly on the device. Which means you always have the most up-to-date data possible.


The article will guide you how to use SQL code query to check whether services are Running or Stopped on Endpoint.


Step 1: Custom Query check Service.

To learn more about new queries you can join the following forum:

Login Sophos Central Admin > Threat Analysis Center > Live Discover > EndpointQueries.

Here you can see the queries built-in by Sophos, with query category such as Device, Network, etc. You just need to select the query type, select the endpoint to query and check the returned results.

To custom query, select Enable Designer Mode > Create new query.

Next, fill in the following information:

  • Query Name: Enter name the query you want
  • Category: Select the query category
  • Fill in the description if you want.

Scroll down and select Live Endpoint > Windows.

SQL section: You enter the query code for a specific Service like Sophos.

SQL code:

Note: You can change “display_name” – Check Service like Sophos, Windows, Microsoft,…
And “status” RUNNING or STOPPED.

FROM services
WHERE display_name like ‘%Sophos%’
AND status = ‘RUNNING’;

Step 2: Select Endpoint Query

Next, you need select the Endpoint to query. Then click Run Query.

You wait for the Query to finish running on the Endpoint with the status “Finish – OK”.

Step 3: Check the results.

The result will show all Running Service of Sophos.

You can also change SQL code to query another Service like Windows — Status is “STOPPED” to know which Windows Services from being stopped.

Result of running query. List of Windows Services that are being stopped.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.