Sophos Extended Detection and Response (XDR) lets you investigate detected threats (“threat cases”) and search for new threats or security weaknesses. It also lets you monitor devices and fix issues remotely. Sophos XDR gives you access to both data stored in the cloud and directly on the device. Which means you always have the most up-to-date data possible.
The article will guide you how to use SQL code to query and check all windows update packages available on Windows, see if these packages have been updated or not.
Step 1: Custom Query check Windows Update.
To learn more about new queries you can join the following forum: https://community.sophos.com/intercept-x-endpoint/p/query-forum
Login Sophos Central Admin > Threat Analysis Center > Live Discover > EndpointQueries.
Here you can see the queries built-in by Sophos, with query category such as Device, Network, etc. You just need to select the query type, select the endpoint to query and check the returned results.
To custom query, select Enable Designer Mode > Create new query.
Next, fill in the following information:
- Query Name: Enter name the query you want
- Category: Select the query category
- Fill the description if you want.
Scroll down and select Live Endpoint > Windows.
SQL section: You enter the code to query windows update.
title, support_url, size, kbarticle, msrc_severity,
WHEN installed = ‘true’ THEN ‘Update is installed’
END AS installed
Step 2: Select Endpoint Query
Next, you need select the Endpoint to query. Then click Run Query.
If a message appears as shown below, continue click Run Query.
You wait for the Query to finish running on the Endpoint with the status “Finish – OK”.
Step 3: Check the results.
After running the query. You will have information such as the machine name, the update kb available on the computer and the status of whether the update has been installed or not.
With this information you will know which machines need to be updated.