[QueryCorner][July2022] Windows PCI Audit Report

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


This query is designed to give you information required in a PCI Audit.

  • Fully Qualified Domain Name
  • Local IP Address
  • Windows Version
  • Build Number
  • Architecture 
  • Tamper Protection Status
  • Last Sophos Update
  • Last Agent Online
  • Current Suite Version

NOTE: if the device has (2) or local IPs, it will return one per interface.


You must have XDR enabled in your environment. This is entirely a Live Discover query.

This is intended for Windows only.

Query Focus

This query came in from a customer looking to pull in additional information to complete their PCI Audit. It can be ran across your entire fleet and has minimal impact on the system. 

--PCI AV Compliance
--Author: @jkopacko - Jeramy Kopacko
--This query will build virtual table conditions and join the information to produce a per agent compliance card through Live Endpoint for Windows devices

--Grab FQDN
    SELECT hostname AS FQDN
    FROM system_info
--Grab local IP from interface 
localIP AS (
    SELECT address 
    FROM interface_addresses 
    WHERE type NOT IN ('auto', 'unknown') 
    /*If you use IP6, remove line 11*/
    AND mask LIKE '%255%'
--Grab OS Information
winVersion AS (
    SELECT name,
            WHEN build = 22000 THEN '21H2'
            WHEN build = 19044 THEN '21H2'
            WHEN build = 19043 THEN '21H1'
            WHEN build = 19042 THEN '20H2'
            WHEN build = 19041 THEN '2004'
            WHEN build = 18363 THEN '1909'
            WHEN build = 18362 THEN '1903'
            WHEN build = 17763 THEN '1809'
            WHEN build = 17134 THEN '1803'
            WHEN build = 16299 THEN '1709'
            WHEN build = 15069 THEN '1703'
            WHEN build = 14393 THEN '1607'
            WHEN build = 10586 THEN '1511'
            WHEN build = 10240 THEN '1507'
        END AS winVersion,
    FROM os_version
--Grab Tamper Protection Status
tamperStatus AS (
            WHEN data LIKE '1' THEN 'ENABLED'
            WHEN data LIKE '0' THEN 'DISABLED' 
    FROM registry 
    WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config' 
    AND name='SEDEnabled' 
--Grab last Sophos Update Timestamp
sophosUpdate AS (
    SELECT datetime(mtime,'unixepoch','localtime') AS lastUpdate
    FROM file
    WHERE path = 'C:\ProgramData\Sophos\AutoUpdate\Logs\SophosUpdate.log'
--Grab last online activity
agentOnline AS (
    SELECT datetime(mtime,'unixepoch','localtime') AS lastActivity
    FROM file
    WHERE path = 'C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\McsClient.log'
--XML Config Table
configXML AS (
    SELECT line
    FROM grep
    WHERE path = 'C:\ProgramData\Sophos\AutoUpdate\data\repo\config.xml'
    AND pattern = '<'
--XML Parsed for Suite Info
suiteXML AS (
    SELECT rtrim(ltrim(trim(line),'<'),'>') AS suite
    FROM configXML
    WHERE suite LIKE 'suite ref="%'
suiteVersion AS (
    SELECT rtrim(ltrim(suite,'suite ref="dds3.'),'.dat" /') AS suiteVersion
    FROM suiteXML
    WHERE suiteVersion LIKE 'WindowsCloudAV%'
pciAudit AS (
JOIN localIP
JOIN winVersion
JOIN tamperStatus
JOIN sophosUpdate
JOIN agentOnline
JOIN suiteVersion
SELECT * FROM pciAudit

Understanding the Code

This code uses virtual tables and join statements to return the necessary information. This is a great example of how the flexibility of Sophos XDR can solve security and administrative challenges for your organization. Here is a general view of how to structure this for your own custom queries. 

WITH <tableName> AS (
SELECT <someColumn>
FROM <someTable>
<tableName2> AS (
SELECT <someColumn1>
FROM <someTable1>
<masterTable> AS (
FROM <tableName>
JOIN <tableName2>

SELECT * FROM <masterTable>

Happy querying!


Added Disclaimer
[edited by: GlennSen at 3:32 PM (GMT -7) on 5 Apr 2023]