https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-to-extract-installed-application/m-p/437911#M1109 <P>Yes. There are multiple workarounds.<BR />1. You can either use the "Endpoint Administration" Tab to get the equivalent "hostname" of the "IP Address"/"user" and then use "quick Launcher" on the top right to get the "Asset View" of the endpoint<BR />Change the view to applications. That provide the list of application and the count</P><P>2. Alternatively, you can use XQL query. Target "Host Inventory" table<BR />Note:</P><P>Agent_id is the primary key for the host inventory table. But you can execute the query with a filter such as<BR />- host_name<BR />- ip_addresses<BR />- users<BR />Also, note the timeframe specified because host inventory collection happens daily and you could have multiple counts</P><P><BR />With IP Address</P><P>dataset = host_inventory<BR />| filter ip_addresses = "10.10.10.10"<BR />| arrayexpand applications<BR />| alter apps = json_extract(applications, "$.application_name")<BR />| fields apps</P><P><BR />To make it a re-usable query, change the hardcoded IP Address to "$system_ip" and save it into your query library<BR />Whenever you want to use the query, you will need to supply the target IP Address as the parameter. See attached screenshot</P><P><BR />dataset = host_inventory<BR />| filter ip_addresses = "$system_ip"<BR />| arrayexpand applications<BR />| alter apps = json_extract(applications, "$.application_name")<BR />| fields apps</P><P>&nbsp;</P><P>With User name</P><P>change the target_user e.g. Smith (case sensitive)</P><P>dataset = host_inventory<BR />| arrayexpand users<BR />| alter target_user = json_extract(users, "$.name")<BR />| filter (target_user = "\"target_user\"")<BR />| arrayexpand applications<BR />| alter apps = json_extract(applications, "$.application_name")<BR />| fields apps</P><P><BR />For the count of applications per IP Address</P><P><BR />dataset = host_inventory<BR />| filter ip_addresses = "10.10.10.10"<BR />| arrayexpand applications<BR />| alter apps = json_extract(applications, "$.application_name")<BR />| dedup apps by asc _time<BR />| comp count(apps) as Counter by _time</P> Thu, 30 Sep 2021 22:39:16 GMT malalade 2021-09-30T22:39:16Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-to-extract-installed-application/m-p/437774#M1108 <P>Hi,</P><P>&nbsp;</P><P>I have queries regarding cortex XDR,</P><P>&nbsp;</P><P>Does the cortex xdr provide application inventory counts?</P><P>&nbsp;</P><P>We want to extract each and every application which is installed in all our network systems but with IP.</P><P>&nbsp;</P><P>for e.g, 10.10.10.10 is a system IP, I want to extract how many other applications are installed in this particular IP.</P><P>&nbsp;</P><P>From host insight, we get the list but we want with IP or user.</P><P>&nbsp;</P> Thu, 30 Sep 2021 16:53:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-to-extract-installed-application/m-p/437774#M1108 OsamaKhan 2021-09-30T16:53:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-to-extract-installed-application/m-p/437911#M1109 <P>Yes. There are multiple workarounds.<BR />1. You can either use the "Endpoint Administration" Tab to get the equivalent "hostname" of the "IP Address"/"user" and then use "quick Launcher" on the top right to get the "Asset View" of the endpoint<BR />Change the view to applications. That provide the list of application and the count</P><P>2. Alternatively, you can use XQL query. Target "Host Inventory" table<BR />Note:</P><P>Agent_id is the primary key for the host inventory table. But you can execute the query with a filter such as<BR />- host_name<BR />- ip_addresses<BR />- users<BR />Also, note the timeframe specified because host inventory collection happens daily and you could have multiple counts</P><P><BR />With IP Address</P><P>dataset = host_inventory<BR />| filter ip_addresses = "10.10.10.10"<BR />| arrayexpand applications<BR />| alter apps = json_extract(applications, "$.application_name")<BR />| fields apps</P><P><BR />To make it a re-usable query, change the hardcoded IP Address to "$system_ip" and save it into your query library<BR />Whenever you want to use the query, you will need to supply the target IP Address as the parameter. See attached screenshot</P><P><BR />dataset = host_inventory<BR />| filter ip_addresses = "$system_ip"<BR />| arrayexpand applications<BR />| alter apps = json_extract(applications, "$.application_name")<BR />| fields apps</P><P>&nbsp;</P><P>With User name</P><P>change the target_user e.g. Smith (case sensitive)</P><P>dataset = host_inventory<BR />| arrayexpand users<BR />| alter target_user = json_extract(users, "$.name")<BR />| filter (target_user = "\"target_user\"")<BR />| arrayexpand applications<BR />| alter apps = json_extract(applications, "$.application_name")<BR />| fields apps</P><P><BR />For the count of applications per IP Address</P><P><BR />dataset = host_inventory<BR />| filter ip_addresses = "10.10.10.10"<BR />| arrayexpand applications<BR />| alter apps = json_extract(applications, "$.application_name")<BR />| dedup apps by asc _time<BR />| comp count(apps) as Counter by _time</P> Thu, 30 Sep 2021 22:39:16 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-to-extract-installed-application/m-p/437911#M1109 malalade 2021-09-30T22:39:16Z