This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Notifcation for non-rebooted clients possible?

Hello together, 

we have a requirement in the company that our employees clients have to reboot regularly for updates, etc.

Is there a way to be actively notified by Sophos (Endpoint) if, for example, a client has not been rebooted for more than a week?

We use Sophos Central with several modules, for our clients Sophos Endpoint Protection (MDR).

Thanks in advance. 

Best regards, 


This thread was automatically locked due to age.
  • You could maybe schedule a datalake query that considers the start time of a critical process, e.g. Services.exe for windows.  If the start time of such a process is more than x hours/days old, you could assume it hasn't restarted since that time.

    Select windows_processes.meta_hostname,
    DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS date_time
    xdr_data AS windows_processes
    windows_processes.query_name = 'running_processes_windows_sophos'
    name='services.exe' and time < to_unixtime(current_date) - (60*60*24*7) --1 week

    Something to consider.  You can't run scheduled queries for live queries so it would need to be something from the datalake I guess.  I might have the time filter wrong but you get the idea. Slight smile

  • I'm not sure why but I thought you could email the results of the scheduled queries. I can't see an option to do it.  I suppose you can at least use data lake data to get the information about the clients without endpoint queries but maybe you have to query the APIs from a script to be able to send such information. Sorry I've not done that. 

  • Thanks a lot, I'll figure out how and who can generate a query internally. The option for results as mail would be nice, but is not mandatory. We just  need to document the audit internally in any way, has not to be by mail.