Live Discover Query - History of Safe Mode system startup

REVIEWED by Sophos

We want a query to list the boot history of the device and if the boot was into safemode or not.

SELECT
CAST(datetime(time, 'unixepoch') AS TEXT) AS 'System Startup Date-Time',
CASE JSON_EXTRACT(data, '$.EventData.BootMode')
WHEN '0' THEN 'Normal_Boot'
WHEN '1' THEN 'Safe-Mode'
ELSE 'Unknown Mode: ' || JSON_EXTRACT(data, '$.EventData.BootMode')
END AS 'Boot Mode',
'Windows ' || JSON_EXTRACT(data, '$.EventData.MajorVersion') || '.' || JSON_EXTRACT(data, '$.EventData.MinorVersion') || '.' || JSON_EXTRACT(data, '$.EventData.BuildVersion') AS 'OS_Version'
FROM sophos_windows_events
WHERE (eventid = 12 AND task = 1)
AND time > STRFTIME('%s','NOW','-90 DAYS')
ORDER by 1 DESC;

OK that gives us the boot history but how to tell if it is a safemode boot or not?

Karl_Ackerman

Karl_Ackerman over 3 years ago

This was requested by a customer, for others if there is a query you want but don't know how to write please just ask and we will see what we can do. Thanks all.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Live Discover Query - History of Safe Mode system startup