https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/458967#M1451 <P>Hello All</P><P>&nbsp;</P><P>&nbsp;</P><P>I would like to use host insights to provide a list of each machine with a specific software installed.</P><P>For example computer that have software containing 'docker'</P><P>&nbsp;</P><P>I can go to host insights, Applications, filter to include 'docker' and see the versions and numbers of assets. however you cannot export the lost of each asset here, just the versions and numbers.</P><P>&nbsp;</P><P>I am new to XQL and have not managed to create a query for the host_inventory dataset.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 16 Jan 2022 20:56:54 GMT GarethDavies 2022-01-16T20:56:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/458967#M1451 <P>Hello All</P><P>&nbsp;</P><P>&nbsp;</P><P>I would like to use host insights to provide a list of each machine with a specific software installed.</P><P>For example computer that have software containing 'docker'</P><P>&nbsp;</P><P>I can go to host insights, Applications, filter to include 'docker' and see the versions and numbers of assets. however you cannot export the lost of each asset here, just the versions and numbers.</P><P>&nbsp;</P><P>I am new to XQL and have not managed to create a query for the host_inventory dataset.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 16 Jan 2022 20:56:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/458967#M1451 GarethDavies 2022-01-16T20:56:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/458990#M1452 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/39734">@GarethDavies</a>&nbsp;Does the query below aid you?&nbsp;</P><PRE>config case_sensitive = false timeframe=365d <BR />| dataset = host_inventory <BR />| filter applications != null<BR />| arrayexpand applications<BR />| alter applications=json_extract(applications, "$.application_name")<BR />| filter applications contains "docker"<BR />|fields applications, ip_addresses, host_name</PRE><P>&nbsp;</P> Mon, 17 Jan 2022 02:37:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/458990#M1452 bbarmanroy 2022-01-17T02:37:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/459094#M1459 <P>Hello Thank you&nbsp;</P><P>&nbsp;</P><P>that solution will work and gives me the raw output that I can investigate further , I see I can add more fields that I may want in the last line&nbsp;</P> Mon, 17 Jan 2022 20:17:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/459094#M1459 GarethDavies 2022-01-17T20:17:59Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/480039#M1867 <P>Hi Bbarmanroy，thank you for sharing. I try to output more fields, such as the application version, but it doesn't work. Look forward to your suggestions.</P><P>&nbsp;</P><P>config case_sensitive = false timeframe=365d<BR />| dataset = host_inventory<BR />| filter applications != null<BR />| arrayexpand applications<BR />| alter applications=json_extract(applications, "$.application_name")<BR />| alter version=json_extract(applications, "$.raw_version")<BR />|fields applications, ip_addresses, host_name, version</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="huwang_0-1649818673202.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/40131i36532F40BCCC5909/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="huwang_0-1649818673202.png" alt="huwang_0-1649818673202.png" /></span></P><P>&nbsp;</P> Wed, 13 Apr 2022 03:28:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/480039#M1867 huwang 2022-04-13T03:28:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/480043#M1868 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/196014">@huwang</a>&nbsp;use <STRONG>version</STRONG> instead of <STRONG>raw_version</STRONG>.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbarmanroy_0-1649822346830.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/40133iB30B8D3BFB5949C7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="bbarmanroy_0-1649822346830.png" alt="bbarmanroy_0-1649822346830.png" /></span></P><P>&nbsp;</P> Wed, 13 Apr 2022 03:59:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-host-insights-and-xql-to-report-of-machines-with/m-p/480043#M1868 bbarmanroy 2022-04-13T03:59:24Z