Browse Live Discover and Response Queries by Category
Approved

Finding the Sophos Machine ID

Each device managed by Sophos has a unique machineID. This is created at the time of installation. There are some scenarios where it's useful to be able to search for a unique machineID, or a collection of them.

-- Name: List Sophos Machine IDs
-- Description: List the Sophos machineID of your endpoints and servers

SELECT
    CASE type
        WHEN 'subkey' THEN path
        ELSE rtrim(path, replace(path, '\', ''))
    END keyPath,
    CASE type
        WHEN 'subkey' THEN ''
        ELSE name
    END valueName,
    CASE type
        WHEN 'subkey' THEN ''
        ELSE type
    END valueType,
    data valueData,
    datetime(mtime,'unixepoch') lastTimeModified
FROM registry
WHERE (path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application\SavMachineId')
ORDER BY keyPath ASC

AndyM
Parents

  • Of course, if you need to find a defined machineID, you can do so with a simple variable:

    -- Name: List Sophos Machine IDs
-- Description: List the Sophos machineID of your endpoints and servers
-- Variable#1: name=machineID type=string default=%

SELECT
    CASE type
        WHEN 'subkey' THEN path
        ELSE rtrim(path, replace(path, '\', ''))
    END keyPath,
    CASE type
        WHEN 'subkey' THEN ''
        ELSE name
    END valueName,
    CASE type
        WHEN 'subkey' THEN ''
        ELSE type
    END valueType,
    data valueData,
    datetime(mtime,'unixepoch') lastTimeModified
FROM registry
WHERE (path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application\SavMachineId')
AND valueData LIKE '%$$MachineID$$%'
ORDER BY keyPath ASC

Comment

  • Of course, if you need to find a defined machineID, you can do so with a simple variable:

    -- Name: List Sophos Machine IDs
-- Description: List the Sophos machineID of your endpoints and servers
-- Variable#1: name=machineID type=string default=%

SELECT
    CASE type
        WHEN 'subkey' THEN path
        ELSE rtrim(path, replace(path, '\', ''))
    END keyPath,
    CASE type
        WHEN 'subkey' THEN ''
        ELSE name
    END valueName,
    CASE type
        WHEN 'subkey' THEN ''
        ELSE type
    END valueType,
    data valueData,
    datetime(mtime,'unixepoch') lastTimeModified
FROM registry
WHERE (path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application\SavMachineId')
AND valueData LIKE '%$$MachineID$$%'
ORDER BY keyPath ASC

Children
No Data
Unfiltered HTML