Hello together,
we have a requirement in the company that our employees clients have to reboot regularly for updates, etc.
Is there a way to be actively notified by Sophos (Endpoint) if, for example, a client has not been rebooted for more than a week?
We use Sophos Central with several modules, for our clients Sophos Endpoint Protection (MDR).
Thanks in advance.
Best regards,
Philipp
You could maybe schedule a datalake query that considers the start time of a critical process, e.g. Services.exe for windows. If the start time of such a process is more than x hours/days old, you could assume it hasn't restarted since that time.
Select windows_processes.meta_hostname,
time,
DATE_FORMAT(FROM_UNIXTIME(time), '%Y-%m-%dT%H:%i:%SZ') AS date_time
FROM
xdr_data AS windows_processes
WHERE
windows_processes.query_name = 'running_processes_windows_sophos'
and
name='services.exe' and time < to_unixtime(current_date) - (60*60*24*7) --1 week
Something to consider. You can't run scheduled queries for live queries so it would need to be something from the datalake I guess. I might have the time filter wrong but you get the idea. 
