https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-view-information-about-windows-endpoints-missing-with-kb/m-p/529978#M3563 <P>Thanks for the info. I'll try it.</P> Mon, 06 Feb 2023 11:29:30 GMT haimmiller 2023-02-06T11:29:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-view-information-about-windows-endpoints-missing-with-kb/m-p/529921#M3560 <P>Hi,</P> <P>&nbsp;</P> <P>I'd like to know how I can export/view information about Windows endpoints that do not apply with specific KB by specific ENDPOINT GROUPS. I can only filter by CVES or ENDPOINTS from the Vulnerability Assessment but not with KBs.</P> <P>My second question is there a way to query if, for example, a Windows endpoint is not applied with the latest cumulative KB/older KBs?</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Sun, 05 Feb 2023 13:29:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-view-information-about-windows-endpoints-missing-with-kb/m-p/529921#M3560 haimmiller 2023-02-05T13:29:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-view-information-about-windows-endpoints-missing-with-kb/m-p/529971#M3562 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271877">@haimmiller</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for writing to Live Community!</P> <P>&nbsp;</P> <P>Cortex XDR vulnerability assessment shows you the list of KBs installed on the endpoints. However, it does not show the comparative analysis or assessment for latest KBs as KBs are provided by the vendors and we do not fetch the latest serials into XDR. However, you can list the KBs in couple of ways as listed below:</P> <OL> <LI><STRONG>Using Script Execution</STRONG>: If you do not have host insights license but have Cortex XDR Pro license enabled on endpoints, you can use the Cortex XDR script execution. Under category of "Execute Commands" you can run the following cmdline params "wmic qfe get HotfixID" you can also use "find" at the end of this command to filter by date/month/year or the latest KB number as per your choice(example below):. You can also get the result output of the script in form of a report.<BR /> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%"> <P><FONT size="2" color="#0000FF"><STRONG>wmic qfe get HotFixID | find "3004365"</STRONG></FONT></P> </TD> </TR> </TBODY> </TABLE> <BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neelrohit_0-1675680734329.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47673iB4FE686A413067AA/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="neelrohit_0-1675680734329.png" alt="neelrohit_0-1675680734329.png" /></span> <P>&nbsp;</P> </LI> <LI>&nbsp;<STRONG>Using host insights based license and XQL</STRONG>: You can use the traditional host insights based dataset to query the list of installed KBs on endpoints using the following XQL query<BR /> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%"><LI-CODE lang="java">dataset = host_inventory | arrayexpand kbs | filter host_name != null and os_type != ENUM.OS_LINUX | alter hotfix = json_extract(kbs , "$.name") | alter date = json_extract(kbs , "$.installation_date") | alter header = json_extract(kbs , "$.title") | fields host_name, hotfix, date, header</LI-CODE></TD> </TR> </TBODY> </TABLE> </LI> </OL> <P>You can add filters of your choice under this to query the data for specific hostnames and also create a visual graph for the list of KBs as per your choice. (Example screenshot below)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-02-06 at 6.30.37 PM.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47672iA62F53ECBDD79821/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot 2023-02-06 at 6.30.37 PM.png" alt="Screenshot 2023-02-06 at 6.30.37 PM.png" /></span></P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Please mark the response as "Accept as Solution" if it was able to resolve your query.</P> <P>&nbsp;</P> <P>Regards</P> Mon, 06 Feb 2023 10:52:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-view-information-about-windows-endpoints-missing-with-kb/m-p/529971#M3562 neelrohit 2023-02-06T10:52:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-view-information-about-windows-endpoints-missing-with-kb/m-p/529978#M3563 <P>Thanks for the info. I'll try it.</P> Mon, 06 Feb 2023 11:29:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/export-view-information-about-windows-endpoints-missing-with-kb/m-p/529978#M3563 haimmiller 2023-02-06T11:29:30Z