Sophos Endpoint - How to know the core agent version globally?

Hello community!.

I have a doubt is it possible to know the core agent version globally, for example. If I want to look de core agent version on a device, I have to go to Devices - "PC1", and in the agent summary we can look the all the components or licensed product version.

But I want to know the core agent version to all the devices in the organization, is there any datalake,endpoint query, or other tool in Sophos Central to know the core agent version in all the devices?.

I'm attentive to your information.

Kind Regards.



Edited tags
[edited by: Gladys at 3:36 AM (GMT -7) on 23 Jun 2022]
  • If you just want to check the computers are on the latest 2022.1 release. I'd probably go for a data lake query based on the Windows_programs table.

    Document (sophos.com)

    E.g.

    SELECT
    meta_hostname AS ep_name,
    name,
    version,
    install_source,
    publisher,
    identifying_number,
    install_date
    FROM xdr_data
    WHERE query_name = 'windows_programs' and name = 'Sophos Endpoint Agent'

    Export this to a csv and create a pivot table from the data.  If they are on the latest version, then would have 2022.1.0.78.  It will also show previous versions a client has reported in during the time windows selected.

    You could of course go looking for just the latest based on the client reporting in that version at some point, although I suppose they could have downgraded?

    SELECT
        distinct(meta_hostname) AS ep_name,
        name,
        version,
        install_source,
        publisher,
        identifying_number,
        install_date
    FROM xdr_data
    WHERE query_name = 'windows_programs' and name = 'Sophos Endpoint Agent' and version='2022.1.0.78'


    There are plenty more fields you could show, E.g. adding all columns so you can see what's there. E.g IPs, user, last boot time, the time the data was ingested, etc..

    SELECT
        distinct(meta_hostname) AS ep_name,
       *
    FROM xdr_data
    WHERE query_name = 'windows_programs' and name = 'Sophos Endpoint Agent' and version='2022.1.0.78'

    You could go reading registry keys with Live Query but that does require the computer to be on and you might be able to make use of the history? 

  • Hello Sophos User930

    Very thanks with the datalake query provided, this is exactly what I looking for.

    Kind Regards.

  • No problem.

    The wildcard query is worth a look to see all the device specific info that can be obtained. 

  • Hi I have executed this query 

    SELECT
    distinct(meta_hostname) AS ep_name,
    name,
    version,
    install_source,
    publisher,
    identifying_number,
    install_date
    FROM xdr_data
    WHERE query_name = 'windows_programs' and name = 'Sophos Endpoint Agent' and version='2022.1.0.78'

    but it says invalid table xdr_data