Active Notifcation for non-rebooted clients possible?

You could maybe schedule a datalake query that considers the start time of a critical process, e.g. Services.exe for windows.  If the start time of such a process is more than x hours/days old, you could assume it hasn't restarted since that time.

Select windows_processes.meta_hostname,
time,
DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS date_time
FROM
xdr_data AS windows_processes
WHERE
windows_processes.query_name = 'running_processes_windows_sophos'
and
name='services.exe' and time < to_unixtime(current_date) - (60*60*24*7) --1 week

Something to consider.  You can't run scheduled queries for live queries so it would need to be something from the datalake I guess.  I might have the time filter wrong but you get the idea. 

I'm not sure why but I thought you could email the results of the scheduled queries. I can't see an option to do it.  I suppose you can at least use data lake data to get the information about the clients without endpoint queries but maybe you have to query the APIs from a script to be able to send such information. Sorry I've not done that. 

Thanks a lot, I'll figure out how and who can generate a query internally. The option for results as mail would be nice, but is not mandatory. We just  need to document the audit internally in any way, has not to be by mail.