https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/578223#M6141 <P>Try this using one KB value at a time.</P> <P>&nbsp;</P> <P>preset = host_inventory_kbs<BR />| filter endpoint_type contains "WORKSTATION" <BR />| filter hotfix_id != null<BR />| filter hotfix_id not contains "KB5034763"<BR />| fields endpoint_name, hotfix_id</P> Fri, 23 Feb 2024 19:24:53 GMT CJNTS 2024-02-23T19:24:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/577888#M6116 <P>Hi,</P> <P>If I want to display hosts with some KBs installed, it is relatively easy as I use following query:</P> <LI-CODE lang="markup">preset = host_inventory_kbs | filter endpoint_type contains "WORKSTATION" and hotfix_id in ("KB5034763","KB5034122") | fields endpoint_name</LI-CODE> <P>Problem starts when I want to display hosts without any of KBs installed as with operator NOT IN, results shows all other patches not hosts without them. Could somebody advise how to create it correctly please?&nbsp;</P> Wed, 21 Feb 2024 12:02:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/577888#M6116 Piotr_Kowalczyk 2024-02-21T12:02:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/578223#M6141 <P>Try this using one KB value at a time.</P> <P>&nbsp;</P> <P>preset = host_inventory_kbs<BR />| filter endpoint_type contains "WORKSTATION" <BR />| filter hotfix_id != null<BR />| filter hotfix_id not contains "KB5034763"<BR />| fields endpoint_name, hotfix_id</P> Fri, 23 Feb 2024 19:24:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/578223#M6141 CJNTS 2024-02-23T19:24:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/578462#M6157 <P>Thanks for your reply.</P> <P>&nbsp;</P> <P>Unfortunately this query doesn't do what I was looking for. The result displays all patches which are not&nbsp;<SPAN>"KB5034763" and on which host they are installed so around 12,000 items with 800 hosts. I'm looking to display hosts which don't have this patch installed, the results should be less then total number of hosts.</SPAN></P> Tue, 27 Feb 2024 12:40:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/578462#M6157 Piotr_Kowalczyk 2024-02-27T12:40:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/580104#M6310 <P>Try this maybe?&nbsp; It removes the hotfix ID and uses dedup to limit the list to single entries for hosts:<BR />preset = host_inventory_kbs<BR />| filter endpoint_type contains "WORKSTATION"<BR />| filter hotfix_id != null<BR />| filter hotfix_id not contains "KB5034763"<BR />| fields endpoint_name<BR />| dedup endpoint_name </P> Tue, 12 Mar 2024 19:07:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/580104#M6310 tporritt 2024-03-12T19:07:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/580184#M6314 <P>Hi,</P> <P>&nbsp;</P> <P>Thank you for the reply.</P> <P>&nbsp;</P> <P>Sadly the query doesn't work. If the&nbsp;<SPAN>KB5034763 would be the only update on computer it would give proper results but as it is not, it shows all other updates and as a result after deduplication, returns all computers.</SPAN></P> Wed, 13 Mar 2024 10:25:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-display-hosts-with-kb-not-installed/m-p/580184#M6314 Piotr_Kowalczyk 2024-03-13T10:25:23Z