3CX DLL-Sideloading attack: What you need to know

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 13 subscribers
  • Views 3032 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint - How to know the core agent version globally?

Nojenus_Sogal

Hello community!.

I have a doubt is it possible to know the core agent version globally, for example. If I want to look de core agent version on a device, I have to go to Devices - "PC1", and in the agent summary we can look the all the components or licensed product version.

But I want to know the core agent version to all the devices in the organization, is there any datalake,endpoint query, or other tool in Sophos Central to know the core agent version in all the devices?.

I'm attentive to your information.

Kind Regards.



This thread was automatically locked due to age.
  • +1

    If you just want to check the computers are on the latest 2022.1 release. I'd probably go for a data lake query based on the Windows_programs table.

    Document (sophos.com)

    E.g.

    SELECT
meta_hostname AS ep_name,
name,
version,
install_source,
publisher,
identifying_number,
install_date
FROM xdr_data
WHERE query_name = 'windows_programs' and name = 'Sophos Endpoint Agent'

    Export this to a csv and create a pivot table from the data.  If they are on the latest version, then would have 2022.1.0.78.  It will also show previous versions a client has reported in during the time windows selected.

    You could of course go looking for just the latest based on the client reporting in that version at some point, although I suppose they could have downgraded?

    SELECT
    distinct(meta_hostname) AS ep_name,
    name,
    version,
    install_source,
    publisher,
    identifying_number,
    install_date
FROM xdr_data
WHERE query_name = 'windows_programs' and name = 'Sophos Endpoint Agent' and version='2022.1.0.78'


    There are plenty more fields you could show, E.g. adding all columns so you can see what's there. E.g IPs, user, last boot time, the time the data was ingested, etc..

    SELECT
    distinct(meta_hostname) AS ep_name,
   *
FROM xdr_data
WHERE query_name = 'windows_programs' and name = 'Sophos Endpoint Agent' and version='2022.1.0.78'

    You could go reading registry keys with Live Query but that does require the computer to be on and you might be able to make use of the history? 

  • 0 in reply to Sophos User930

    Hello Sophos User930

    Very thanks with the datalake query provided, this is exactly what I looking for.

    Kind Regards.

  • 0 in reply to Nojenus_Sogal

    No problem.

    The wildcard query is worth a look to see all the device specific info that can be obtained. 

  • 0 in reply to Sophos User930

    Hi I have executed this query 

    SELECT
    distinct(meta_hostname) AS ep_name,
    name,
    version,
    install_source,
    publisher,
    identifying_number,
    install_date
    FROM xdr_data
    WHERE query_name = 'windows_programs' and name = 'Sophos Endpoint Agent' and version='2022.1.0.78'

    but it says invalid table xdr_data

  • 0 in reply to Sophos User930

    any idea how to pull the sophos workstation group at the same time?

  • 0

    It'd be great if the agent version were listed right on the computer list in another column.  

  • 0 in reply to Sophos User930

    Hi,

    I've executed the query but it says "invalid table xdr_data"

    I test on my PC with XDR activated and it doesn't work.

    Could you please list the tables with requested information?

Unfiltered HTML