https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-help/m-p/523708#M3241 <P>Hi VenuK,<BR /><BR />Try using the preset in the query example below instead. This preset has the data you are looking for already parsed out nicely. In the host_inventory dataset, the application data is in a json array and would need additional XQL functions used to extract it.</P> <P>preset = host_inventory_applications</P> <P>|fields Vendor, application_name, version, manager_name, endpoint_name <BR />|comp count(endpoint_name) as counter by vendor, application_name, version, manager_name<BR />|sort desc counter</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards,<BR />Ben</P> Fri, 09 Dec 2022 14:44:00 GMT bbucao 2022-12-09T14:44:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-help/m-p/523651#M3238 <P>Dear All,</P> <P>&nbsp;</P> <P>We wanted to pull the list of applications installed on our devices and would like to use XQL query to list the applications that are installed, we tried the below with no results, can someone help me how to get this achieved.</P> <P><SPAN>&nbsp;config timeframe = 24h</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;| dataset = host_inventory</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;| filter application_name in("Application Name that we have pulled using the host inventory")</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks in Advance</SPAN></P> <P><SPAN>Venu</SPAN></P> Thu, 08 Dec 2022 18:33:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-help/m-p/523651#M3238 VenuK 2022-12-08T18:33:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-help/m-p/523708#M3241 <P>Hi VenuK,<BR /><BR />Try using the preset in the query example below instead. This preset has the data you are looking for already parsed out nicely. In the host_inventory dataset, the application data is in a json array and would need additional XQL functions used to extract it.</P> <P>preset = host_inventory_applications</P> <P>|fields Vendor, application_name, version, manager_name, endpoint_name <BR />|comp count(endpoint_name) as counter by vendor, application_name, version, manager_name<BR />|sort desc counter</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards,<BR />Ben</P> Fri, 09 Dec 2022 14:44:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-help/m-p/523708#M3241 bbucao 2022-12-09T14:44:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-help/m-p/523924#M3252 <P>Than you very much&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/205598">@bbucao</a>&nbsp;</P> Tue, 13 Dec 2022 13:42:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-help/m-p/523924#M3252 VenuK 2022-12-13T13:42:26Z