Overview
Sophos Extended Detection and Response (XDR) allows you to investigate detected threats (“threat cases”) and search for new threats or security vulnerabilities. It also enables remote monitoring and troubleshooting of devices. With Sophos XDR, you can access both cloud-stored data and data directly on devices, ensuring you always have the most up-to-date information.
This article provides a guide on how to use the Live Discover tool of Sophos CIXA with EDR to query the entire workstation and server system to obtain information about which machines have been installed with Sophos certificates. This helps reduce the time for administrators to manually check each machine for verification.
Query Diagram
How to configure
Step 1: Create Custom Query
- Login Sophos Central Admin -> Choose Threat Analysis Center -> Choose Live Discover -> Enable Designer mode -> Click Create new query
- Enter name for your query
- In Category: Choose category that you want to save to
- In Source: Choose Live Endpoint and choose OS that you want (some queries may not be supported for the selected operating system).
- In SQL: Enter code
WITH rebootRequired AS (SELECT
CASE
WHEN data LIKE ‘1’ THEN ‘Yes’
ELSE ‘No’
END AS RebootRequired
FROM registry
WHERE path LIKE ‘HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\VolatileFlags\RebootRequired’),
rebootRequiredDate AS (SELECT datetime(CAST(data AS unsigned_bigint)/1000,’unixepoch’,’localtime’) AS RequiredSince
FROM registry
WHERE path LIKE ‘HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\VolatileFlags\RebootRequiredSince’)
SELECT RebootRequired,
CASE
WHEN RebootRequired = ‘No’ THEN ‘n/a’
ELSE RequiredSince
END AS rebootRequiredDate
FROM rebootRequired JOIN rebootRequiredDate
- Click Save
Step 2: Test Query
- Choose the query
- In Device selector: Choose computers you want
- Click Run Query
Step 3: Check the result
Leave a Reply