We'd love to hear about it! Click here to go to the product suggestion community
REVIEWED by Sophos
We want a query to list the boot history of the device and if the boot was into safemode or not.
SELECT CAST(datetime(time, 'unixepoch') AS TEXT) AS 'System Startup Date-Time', CASE JSON_EXTRACT(data, '$.EventData.BootMode') WHEN '0' THEN 'Normal_Boot' WHEN '1' THEN 'Safe-Mode' ELSE 'Unknown Mode: ' || JSON_EXTRACT(data, '$.EventData.BootMode') END AS 'Boot Mode', 'Windows ' || JSON_EXTRACT(data, '$.EventData.MajorVersion') || '.' || JSON_EXTRACT(data, '$.EventData.MinorVersion') || '.' || JSON_EXTRACT(data, '$.EventData.BuildVersion') AS 'OS_Version'FROM sophos_windows_eventsWHERE (eventid = 12 AND task = 1) AND time > STRFTIME('%s','NOW','-90 DAYS')ORDER by 1 DESC;
OK that gives us the boot history but how to tell if it is a safemode boot or not?
This was requested by a customer, for others if there is a query you want but don't know how to write please just ask and we will see what we can do.