Sophos XDR: How to Run Query Check Windows Update by KBarticle on Endpoint.


Sophos Extended Detection and Response (XDR) lets you investigate detected threats (“threat cases”) and search for new threats or security weaknesses. It also lets you monitor devices and fix issues remotely. Sophos XDR gives you access to both data stored in the cloud and directly on the device. Which means you always have the most up-to-date data possible.

Diagram Query

The article will guide you how to use SQL code to query and check windows update packages according to KBarticle available on Windows, see if these packages have been updated or not.


Step 1: Custom Query check Windows Update by KBarticle .

To learn more about new queries you can join the following forum:

Login Sophos Central Admin > Threat Analysis Center > Live Discover > EndpointQueries.

Here you can see the queries built-in by Sophos, with query category such as Device, Network, etc. You just need to select the query type, select the endpoint to query and check the returned results.

To custom query, select Enable Designer Mode > Create new query.

Next, fill in the following information:

  • Query Name: Enter name the query you want
  • Category: Select the query category
  • Fill the description if you want.

Scroll down and select Live Endpoint > Windows.

SQL section: You enter the code to query windows update by KBarticle.

SQL code:

Note: You need to add variables (Variable — $$KB$$ — String). Variable name you set yourself. Ex: KB,…


    title, support_url, size, kbarticle, msrc_severity,


    WHEN installed = ‘true’ THEN ‘Update is installed’

    END AS installed



WHERE kbarticle = ‘$$KB$$’

In this SQL code you need to add a variable to be able to use it. Click Show variable editor > Add variable.

The variable must add is “KB”. You may recognize variables to be created as “$$….$$

  • Variable type: String.
  • Enter value to use when query runs: You enter the KBarticle number of Windows Update to check. Ex: KB4052623

Step 2: Select Endpoint Query

Next, you need select the Endpoint to query. Then click Run Query.

If a message appears as shown below, continue click Run Query.

You wait for the Query to finish running on the Endpoint with the status “Finish – OK”.

Step 3: Check the results.

After running the query. You will have information like the endpoint that installed the update with KB4052623. Title is Update for Windows Defender….

You can check other KBs like KB5005539. And check the results, we see that this KB has not been installed on Endpoint.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.