XQL query for browsers installed or in usage on host + Host_name.

ori_stolero — Tue, 02 Jul 2024 14:24:03 GMT

Hi,

I need to find which browsers the users using for daily tasks.
I'm looking for a XQL query for browsers installed or browsers in usage by the user + hostname,
The date that the app installed and the version is not so important as long as i get the browser name or vendor like chrome, Firefox etc.
I can provide browsers list to search for or any other way to find it.

I tried a few query but once I check the result it didn't was accrued.

B.Regards,
Ori

Re: XQL query for browsers installed or in usage on host + Host_name.

kiwi — Thu, 04 Jul 2024 10:08:20 GMT

Hi @ori_stolero ,

Can you share what you have tried already ?

I was thinking something along these lines:

dataset = xdr_data | filter lowercase(action_file_path) in ('c:\program files\google\chrome\application\chrome.exe', 'c:\program files\mozilla firefox\firefox.exe', 'c:\program files (x86)\microsoft\edge\application\msedge.exe', 'c:\program files\internet explorer\iexplore.exe', 'c:\program files\opera\launcher.exe', 'c:\program files\safari\safari.exe') | fields agent_hostname, action_file_path, action_file_name, action_local_ip, action_remote_ip

This query filters the xdr_data dataset for specific paths where browser executables are typically located. The lowercase function ensures the path comparison is case-insensitive. You can add or modify paths according to the actual installation directories used in your environment.

The "fields agent_hostname, action_file_path, action_file_name, action_local_ip, action_remote_ip" specifies the fields to include in the output, such as the hostname, file path, file name, and local/remote IP addresses involved in the action.

Hope this helps,

-Kim.

Re: XQL query for browsers installed or in usage on host + Host_name.

ori_stolero — Thu, 04 Jul 2024 12:24:10 GMT

Hey,

Thank you for your reply,
The Issue is that if the application installed too long (for Ex a year ago) the query don't find it,
i tried to run this query for last month,

dataset = xdr_data
| filter lowercase(action_file_path) in ("C:\Users\Username\AppData\Local\Vivaldi\Application\Vivaldi.exe")
| fields agent_hostname, action_file_path, action_file_name, action_local_ip, action_remote_ip

But it didn't give any results.
Any Idea will be appreciated?

I query that I tried is this one;
**************************************************************
dataset = host_inventory
| filter applications != null
| arrayexpand applications
| alter applicationname=json_extract(applications, "$.application_name")
| alter applicationversion=json_extract(applications, "$.version")
| alter appvendor=json_extract(applications, "$.vendor")
| alter installdate=json_extract(applications, "$.install_date")
| alter applicationNameCount = "0" // create a new column called 'applicationnameC
| alter applicationNameCount = if (applicationname contains "Chrome", replace (applicationNameCount, "0" , "1" ), applicationNameCount ) // if application 1 is installed
| alter applicationNameCount = if (applicationname contains "Firefox", replace (applicationNameCount, "0", "2"), applicationNameCount ) // if application 2 is installed
| alter applicationNameCount = if (applicationname contains "brave", replace (applicationNameCount, "0" , "3" ), applicationNameCount ) // if application 3 is installed
| alter applicationNameCount = if (applicationname contains "edge", replace (applicationNameCount, "0" , "4" ), applicationNameCount ) // if application 4 is installed
| alter applicationNameCount = if (applicationname contains "Amigo", replace (applicationNameCount, "0" , "5" ), applicationNameCount ) // if application 5 is installed
| alter applicationNameCount = if (applicationname contains "Arc", replace (applicationNameCount, "0" , "6" ), applicationNameCount ) // if application 6 is installed
| alter applicationNameCount = if (applicationname contains "Chromium", replace (applicationNameCount, "0" , "7" ), applicationNameCount ) // if application 7 is installed
| alter applicationNameCount = if (applicationname contains "Vivaldi", replace (applicationNameCount, "0" , "8" ), applicationNameCount ) // if application 8 is installed
| alter applicationNameCount = if (applicationname contains "opera", replace (applicationNameCount, "0" , "9" ), applicationNameCount ) // if application 9 is installed
| alter applicationNameCount = if (applicationname contains "safari", replace (applicationNameCount, "0" , "10" ), applicationNameCount ) // if application 10 is installed
| alter applicationNameCount = if (applicationname contains "Tor", replace (applicationNameCount, "0" , "11" ), applicationNameCount ) // if application 11 is installed
| alter applicationNameCount = if (applicationname contains "Sogou", replace (applicationNameCount, "0" , "12" ), applicationNameCount ) // if application 12 is installed
| alter applicationNameCount = if (applicationname contains "QQ", replace (applicationNameCount, "0" , "13" ), applicationNameCount ) // if application 13 is installed
| alter applicationNameCount = if (applicationname contains "Yandex", replace (applicationNameCount, "0" , "14" ), applicationNameCount ) // if application 14 is installed
| alter applicationNameCount = if (applicationname contains "Baidu", replace (applicationNameCount, "0" , "15" ), applicationNameCount ) // if application 15 is installed
| alter applicationNameCount = if (applicationname contains "Amigo", replace (applicationNameCount, "0" , "16" ), applicationNameCount ) // if application 16 is installed
| alter applicationNameCount = if (applicationname contains "uc", replace (applicationNameCount, "0" , "17" ), applicationNameCount ) // if application 16 is installed
| comp sum (to_integer(applicationNameCount)) as appInstalled by host_name
**************************************************************

Re: XQL query for browsers installed or in usage on host + Host_name.

ori_stolero — Tue, 09 Jul 2024 10:32:12 GMT

Any other ideas are greatly appreciated

topic XQL query for browsers installed or in usage on host + Host_name. in Cortex XDR Discussions

XQL query for browsers installed or in usage on host + Host_name.

Re: XQL query for browsers installed or in usage on host + Host_name.

Re: XQL query for browsers installed or in usage on host + Host_name.

Re: XQL query for browsers installed or in usage on host + Host_name.