
Overview
Sophos Extended Detection and Response (XDR) lets you investigate detected threats (“threat cases”) and search for new threats or security weaknesses. It also lets you monitor devices and fix issues remotely. Sophos XDR gives you access to both data stored in the cloud and directly on the device. Which means you always have the most up-to-date data possible.
The article guides us to use the Live Discover tool of Sophos CIXA with EDR to be able to query all Windows workstations and servers need to reboot. That helps to reduce the time for administrators having to go down to each machine to check
Diagram

How to configure
Step 1: Create Custom Query
- Login to Sophos Central Admin -> Choose Threat Analysis Center -> Choose Live Discover -> Enable Designer mode -> Click Create new query

- Enter name for query
- In Category: Choose category which you want to add query
- In Source: Choose Live Endpoint and choose OS (some queries will not support the OS you choose) -> Check more information in Sophos Community
- In SQL: Enter query code
WITH rebootRequired AS (SELECT
CASE
WHEN data LIKE ‘1’ THEN ‘Yes’
ELSE ‘No’
END AS RebootRequired
FROM registry
WHERE path LIKE ‘HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\VolatileFlags\RebootRequired’),
rebootRequiredDate AS (SELECT datetime(CAST(data AS unsigned_bigint)/1000,’unixepoch’,’localtime’) AS RequiredSince
FROM registry
WHERE path LIKE ‘HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\VolatileFlags\RebootRequiredSince’)
SELECT RebootRequired,
CASE
WHEN RebootRequired = ‘No’ THEN ‘n/a’
ELSE RequiredSince
END AS rebootRequiredDate
FROM rebootRequired JOIN rebootRequiredDate
- Click Save
Step 2: Test Query
- Choose Query which was created before
- In Device selector: Choose computers you want to query
- Click Run Query

Step 3: Check the result
Leave a Reply