topic Re: XQL Question - Cortex > Host Inventory > Applications Result View in Cortex XDR Discussions

XQL Question - Cortex > Host Inventory > Applications Result View

kenlacrosse — Wed, 30 Jul 2025 23:31:46 GMT

I'm assuming that the result set shown on the page for Host Inventory > Applications is the product of an XQL query that we could write in Query Builder. I'm looking to, sort of, duplicate and modify that XQL. Does anyone know if that query is available and what the query is or where it might be found if it is available?

Thanks

Re: XQL Question - Cortex > Host Inventory > Applications Result View

dustin85mark — Thu, 31 Jul 2025 05:51:00 GMT

Yes, the result set shown on the Host Inventory > Applications page in platforms like Cortex XDR or XSIAM is generally the product of an underlying XQL (XDR Query Language) query. While the exact query used by the UI is not typically exposed directly, you can replicate or approximate it using the Query Builder. By selecting the application_inventory dataset in Query Builder, you can construct a similar query to display application names, versions, paths, and hostnames. For example, a basic XQL query like dataset = application_inventory | fields agent_hostname, application_name, application_path, application_version | sort last_seen_time desc | limit 100 closely mirrors what you see on that page. To find the exact backend query, some users inspect browser network traffic using Developer Tools (F12), filtering for requests to endpoints like /query/execute or GraphQL, where parts of the query may be encoded. Additionally, if you want to enhance the query, you can join with the host_inventory dataset to include more host details like OS type and version. While Palo Alto doesn’t publish these UI queries openly, their official XQL documentation and Query Library provide many helpful starting points, and reaching out to their support team may yield further insight if needed.

Re: XQL Question - Cortex > Host Inventory > Applications Result View

bonnie25hell — Thu, 31 Jul 2025 06:36:01 GMT

Yes, the XQL query for Host Inventory > Applications is available and can be found on the Palo Alto Networks LIVEcommunity. A common starting point for listing host inventory applications is:

`dataset = host_inventory | filter applications != null | arrayexpand applications | alter applications=json_extract(applications, "$.application_name"), software_vendor = json_extract(applications, "$.vendor"), software_verion = json_extract(applications, "$.version") | fields applications, host_name, software_vendor , software_verion`

This query can be modified in the Query Builder to suit specific needs, such as filtering for particular applications or vendors. You can also explore the `host_inventory` dataset schema in the Query Builder's Integrated Developer Environment (IDE) to discover other relevant fields.

Re: XQL Question - Cortex > Host Inventory > Applications Result View

jmazzeo — Thu, 31 Jul 2025 12:24:15 GMT

Hi @kenlacrosse,

There is a preset with all the applications data:

preset = host_inventory_applications

Every part of the Inventory has it's own preset to work with XQL:

If this post answers your question, please mark it as the solution.