https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/556100#M5072 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/256101">@nsinghvirk</a></P> <P>&nbsp;</P> <P>Thank you for your answer!</P> <P>You're right, this is a licenses problem; I didn't check that.</P> Fri, 01 Sep 2023 08:11:48 GMT RemiLiquete 2023-09-01T08:11:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/556023#M5070 <P>Hello,</P> <P>&nbsp;</P> <P>I'm trying to search for all installed vpn on endpoints using an XQL Query.</P> <P>Before going further in my query, I'm trying to list all hosts where the application name contains "*vpn*".</P> <P>&nbsp;</P> <P>This result and the result from host insight doing the same search are different. Somes endpoints are not showing in the query. So I've tried to search for those missing endpoints in query. I only find them when using the dataset "endpoints". I can't find them using host_inventory.<BR />Why?</P> Thu, 31 Aug 2023 15:10:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/556023#M5070 RemiLiquete 2023-08-31T15:10:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/556034#M5071 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/311763">@RemiLiquete</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Possible reason for not getting same number of hosts in endpoint and host_inventory dataset can be that the host insight capability was not enabled for all the hosts in agent setting profile. Other possible reason can be that you have limited number of Host Insight licenses which are required for host_inventory to work. Hence you may be missing out data from some of the hosts in host_inventory dataset.</P> Thu, 31 Aug 2023 17:32:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/556034#M5071 nsinghvirk 2023-08-31T17:32:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/556100#M5072 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/256101">@nsinghvirk</a></P> <P>&nbsp;</P> <P>Thank you for your answer!</P> <P>You're right, this is a licenses problem; I didn't check that.</P> Fri, 01 Sep 2023 08:11:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/556100#M5072 RemiLiquete 2023-09-01T08:11:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/557573#M5133 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/311763">@RemiLiquete</a>,&nbsp;</P> <P>&nbsp;</P> <P>please set me know if you also have the problem to get them inside host inventory when your licence issue is solved.&nbsp;</P> <P>In my opinion you have to reinstall the agent, because I have severall clients which are not visible in the host inventory after license upgrade.</P> <P>&nbsp;</P> <P>BR</P> <P>Rob&nbsp;</P> Tue, 12 Sep 2023 16:16:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/557573#M5133 RFeyertag 2023-09-12T16:16:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/557741#M5143 <P>Hello, thank you for the information.<BR />For now, I did not resolve this issue since it's not impacting for now. I let you know if it changes.<BR /><BR /></P> Wed, 13 Sep 2023 15:20:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/557741#M5143 RemiLiquete 2023-09-13T15:20:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/557802#M5147 <P>You're welcome!</P> <P>Maybe you have more visibility with this XQL:</P> <P>&nbsp;</P> <P><BR />config case_sensitive = false<BR />| dataset = endpoints <BR />|join conflict_strategy = both type = left (dataset = host_inventory ) as HI HI.host_name = endpoint_name and HI.agent_domain = domain <BR />|fields domain , endpoint_name, last_seen, host_name, endpoint_status <BR />|filter host_name = null<BR />|sort desc last_seen</P> Wed, 13 Sep 2023 20:42:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-host-inventory-and-endpoint-in-xql-query/m-p/557802#M5147 RFeyertag 2023-09-13T20:42:27Z