-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathcheckSophosServiceStatus
68 lines (63 loc) · 2.05 KB
/
checkSophosServiceStatus
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
/*
--author: Sophos Community
+= Descriptive names: N/A
+= Variable type: N/A
+= Value: N/A
+= Version 1.0 - 03/10/23
+= Query type: Live Discover
+= OS Support: Windows
*/
SELECT
(SELECT
CASE
WHEN data = 1 THEN 'GOOD ✅'
WHEN data = 3 THEN 'BAD ❌ - Isolated'
END Satus
FROM
registry
WHERE key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status\" AND name = 'admin') AS IsolateStatus,
(SELECT
CASE
WHEN data = 1 THEN 'GOOD ✅'
WHEN data = 2 THEN 'SUSPICIOUS ⚠️️'
WHEN data = 3 THEN 'BAD ❌'
END Satus
FROM
registry
WHERE key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status\" AND name = 'service') AS ServiceStatus,
(SELECT
CASE
WHEN data = 1 THEN 'GOOD ✅'
WHEN data = 2 THEN 'SUSPICIOUS ⚠️' || 'Investigate Event details in Sophos Endpoint Dashboard'
WHEN data = 3 THEN 'BAD ❌' || 'Investigate Event details in Sophos Endpoint Dashboard'
END Satus
FROM
registry
WHERE key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status\" AND name = 'threat') AS ThreatStatus,
(SELECT
CASE
WHEN (SELECT
CAST(group_concat(name, CHAR(10)) AS TEXT) AS "bad services"
FROM
registry
WHERE
key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status\"
AND name LIKE 'service.%' AND data IN (1,2)) IS NULL
THEN 'NONE ✅'
ELSE (SELECT
CAST(group_concat(name, CHAR(10)) AS TEXT) AS "bad services"
FROM
registry
WHERE
key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status\"
AND name LIKE 'service.%' AND data IN (1,2))
END Status) AS BadServices,
(SELECT
CASE
WHEN data = 1 THEN 'GOOD ✅'
WHEN data = 2 THEN 'SUSPICIOUS ⚠️'
WHEN data = 3 THEN 'BAD ❌'
END Satus
FROM
registry
WHERE key = "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\Status\" AND name = 'health') AS OverallHealthStatus