Query Sophos Agent Needing Reboot

This query will search for reg keys that indicate your Sophos agent requires a reboot to complete installation/updates and the date it was flagged to be rebooted

WITH rebootRequired AS (SELECT
   CASE
      WHEN data LIKE '1' THEN 'Yes'
      ELSE 'No'
   END AS RebootRequired
FROM registry 
WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\VolatileFlags\RebootRequired'),

rebootRequiredDate AS (SELECT datetime(CAST(data AS unsigned_bigint)/1000,'unixepoch','localtime') AS RequiredSince
FROM registry 
WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus\VolatileFlags\RebootRequiredSince')

SELECT RebootRequired,
   CASE
      WHEN RebootRequired  = 'No' THEN 'n/a'
      ELSE RequiredSince
      END AS rebootRequiredDate
FROM rebootRequired JOIN rebootRequiredDate

JeramyKopacko

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Query Sophos Agent Needing Reboot