Sophos XDR: Instructions for creating a Query to check applications installed on a server or workstation within a specified period of time

1.The purpose of the article

Techbast will guide you to use Sophos Central’s Live Discover feature to create a query that checks for applications that have been installed on a server or workstation within a specified period of time.



  • The internet connection is connected at port 2 of the Sophos Firewall device with IP 10,150.30.106.
  • The LAN subnet is configured at port 1 of the Sophos XG Firewall device with IP and configured with a DHCP Server to allocate IPs to connected devices.
  • In the LAN we will have 1 device, a WIN-V3N9Q4OC2GG server with IP and installed Sophos Endpoint.


Make a Query on Sophos Central using the Live Discover feature to check the list of installed applications for a specified period of time.

4.What to do

  • Create query.


5.1.Create query

To create a query, go to Threat Analysis Center > Live Discover.

First we will turn on Designer Mode.

Then we click Create new query to create a new query.

The query creation table appears, we will enter the following information:

  • Query Name: Name this query Query List Software.
  • Category: select Device.
  • Source: select Live Endpoint and select Windows (Note with this option, the computer or server must have an internet connection to be able to query).
  • In the SQL box we enter the code below.
  • In the Variable editor we click Add variable to add a date parameter between the start and end date.
  • For example, if you want to see a list of applications installed from October 20, 2019 to October 31, 2019, you enter StartDate as October 20 and EndDate as October 31 as shown below:
  • At Device selector we select the server installed Sophos Endpoint and click Query.

Wait a few seconds, the query result will show a list of software installed in the time period that we entered.

With the Live Discover feature and this query, it helps us to check if there are any strange applications installed on the server or if the user is installing non-work related applications. to the machine or not.

It also provides the time that the application was installed so that it can be easily traced by the administrator.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.