https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-unmanaged-assets-search-with-xql/m-p/543227#M4430 <P><SPAN>Hello Everyone,</SPAN></P> <P>&nbsp;</P> <P><SPAN>I have a following question: Since XDR agents are able to detect unmanaged assets in their network (without Broker VM), how can I get that information via XQL ?&nbsp;</SPAN></P> <P><SPAN>Any information will be usefully.</SPAN></P> <P><SPAN>Thank you</SPAN></P> Wed, 24 May 2023 16:30:08 GMT Retired Member 2023-05-24T16:30:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-unmanaged-assets-search-with-xql/m-p/543227#M4430 <P><SPAN>Hello Everyone,</SPAN></P> <P>&nbsp;</P> <P><SPAN>I have a following question: Since XDR agents are able to detect unmanaged assets in their network (without Broker VM), how can I get that information via XQL ?&nbsp;</SPAN></P> <P><SPAN>Any information will be usefully.</SPAN></P> <P><SPAN>Thank you</SPAN></P> Wed, 24 May 2023 16:30:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-unmanaged-assets-search-with-xql/m-p/543227#M4430 Retired Member 2023-05-24T16:30:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-unmanaged-assets-search-with-xql/m-p/543282#M4433 <P>Hi&nbsp;@Retired Member&nbsp;</P> <P>&nbsp;</P> <P>For your use case <SPAN>to detect unmanaged assets in network (without Broker VM), if those endpoints are domain joined&nbsp;you can leverage the&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Datasets-and-Presets" target="_blank" rel="nofollow noopener noreferrer">Cloud Identity Engine dataset</A>&nbsp;(pan_dss_raw) to cross-reference the data with endpoints data to identify assets which are a part of the organization domain but are&nbsp;<STRONG>not</STRONG>&nbsp;in the endpoints dataset. </SPAN></P> <P>&nbsp;</P> <P><SPAN>XQL query for reference:&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>dataset = pan_dss_raw <BR />| fields name,ou,os,type<BR />| filter type= "computer"<BR />| dedup name<BR />| filter name not in (dataset=endpoints | alter hostname = lowercase(endpoint_name) | fields hostname )</SPAN></P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> Thu, 25 May 2023 04:23:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-unmanaged-assets-search-with-xql/m-p/543282#M4433 PiyushKohli 2023-05-25T04:23:23Z