topic Software Inventory query in Cortex XDR Discussions

Software Inventory query

Piotr_Kowalczyk — Mon, 19 Feb 2024 16:56:26 GMT

Hi,

I'm using following query to get software inventory and it is working well. However to the results, as last column, I would like to add number of hosts which have particular software. Could somebody advise how to do this please?

Re: Software Inventory query

jmazzeo — Tue, 20 Feb 2024 18:19:19 GMT

Hi @Piotr_Kowalczyk, thanks for reaching us using the Live Community.

Please try this one:

dataset = host_inventory | arrayexpand applications | alter software = json_extract(applications, "$.application_name"),software_vendor = json_extract(applications, "$.vendor") | filter os_type = ENUM.OS_WINDOWS and product_type != ENUM.SERVER | fields software,software_vendor, agent_name | comp count(agent_name) as installations by software,software_vendor | sort desc installations

Re: Software Inventory query

aspatil — Wed, 21 Feb 2024 06:11:00 GMT

Hello @Piotr_Kowalczyk ,

Agent name may not be the good field to use for your use case.

agent_name is endpoint alias value . It is not necessarily all endpoints would have value defined in endpoint alias. Instead replace it with the hostname.

dataset = host_inventory
| arrayexpand applications
| alter software = json_extract(applications, "$.application_name"),software_vendor = json_extract(applications, "$.vendor"), software_verion = json_extract(applications, "$.version")
| filter os_type = ENUM.OS_WINDOWS and product_type != ENUM.SERVER
| fields software,software_vendor,software_verion ,host_name
|comp count(host_name ) as installations by software,software_vendor , software_verion
|sort desc installations

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: Software Inventory query

aspatil — Wed, 21 Feb 2024 08:00:36 GMT

Hello @Piotr_Kowalczyk ,

Using dataset which runs for 90 days, you will get multiple entries of same endpoint which may result in discrepancy in count. Instead you can call the preset.

preset = host_inventory_applications
| fields application_name , vendor , version , endpoint_name
| comp count(endpoint_name) as installations by application_name , vendor , version
| sort desc installations

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: Software Inventory query

Piotr_Kowalczyk — Wed, 21 Feb 2024 09:42:13 GMT

Aspatil, many thanks for your answer. Indeed using preset was better option as it didn't multiple values when run on 30 days. Will you be able to tell me why dataset = host_inventory gives multiple values but preset = host_inventory_application doesn't please?

Re: Software Inventory query

Piotr_Kowalczyk — Wed, 21 Feb 2024 09:43:53 GMT

Jmazzeo, many thanks for your reply. It was very close to what I was looking for, however when I run it on more than 24 hours it showed multiple values.

Re: Software Inventory query

aspatil — Wed, 21 Feb 2024 09:56:45 GMT

Hello @Piotr_Kowalczyk ,

The reason is dataset contains the raw data. Hence whenever scan happens the data get saved in it. The most important factor is _time field. I found that the multiple entries has different time, hence incorrect count. But, Preset has more efficient data and only contains required fields.

Re: Software Inventory query

Piotr_Kowalczyk — Wed, 21 Feb 2024 10:15:04 GMT

Thank you, Aspatil!