https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-data-lake-windows-11-build-amp-enablement-info/m-p/1241614#M8861 <P>Windows 11 (and 10 presumably) has a series of numbers which, together, identify the build and patch level of the OS.&nbsp; This would be a combination of Version: <SPAN>Windows 11 and/or Build Number: 10.0.22631.&nbsp; The Patch Level (or Enablement Level) is shown by an additional 4 digit number at the end of the Build Number like Windows Build 10.0.22631.<STRONG>4317</STRONG>.&nbsp;&nbsp;</SPAN>In the Cortex Data Lake I can find all this, in the Operating System and OS Version fields, <STRONG>except</STRONG>&nbsp;for the Patch/Enablement 4 digit number.&nbsp;Does this exist in the Cortex Data Lake and, if so, how would I get it?</P> Wed, 12 Nov 2025 00:15:50 GMT kenlacrosse 2025-11-12T00:15:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-data-lake-windows-11-build-amp-enablement-info/m-p/1241614#M8861 <P>Windows 11 (and 10 presumably) has a series of numbers which, together, identify the build and patch level of the OS.&nbsp; This would be a combination of Version: <SPAN>Windows 11 and/or Build Number: 10.0.22631.&nbsp; The Patch Level (or Enablement Level) is shown by an additional 4 digit number at the end of the Build Number like Windows Build 10.0.22631.<STRONG>4317</STRONG>.&nbsp;&nbsp;</SPAN>In the Cortex Data Lake I can find all this, in the Operating System and OS Version fields, <STRONG>except</STRONG>&nbsp;for the Patch/Enablement 4 digit number.&nbsp;Does this exist in the Cortex Data Lake and, if so, how would I get it?</P> Wed, 12 Nov 2025 00:15:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-data-lake-windows-11-build-amp-enablement-info/m-p/1241614#M8861 kenlacrosse 2025-11-12T00:15:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-data-lake-windows-11-build-amp-enablement-info/m-p/1249062#M9174 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/102416">@kenlacrosse</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <DIV class="flex flex-col text-sm"> <ARTICLE class="text-token-text-primary w-full focus:outline-none [--shadow-height:45px] has-data-writing-block:pointer-events-none has-data-writing-block:-mt-(--shadow-height) has-data-writing-block:pt-(--shadow-height) [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" tabindex="-1" data-turn="assistant" data-scroll-anchor="true" data-testid="conversation-turn-12" data-turn-id="request-WEB:58004001-668f-4d2f-a1df-26fe28b221e7-5"> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:--spacing(4)] @w-sm/main:[--thread-content-margin:--spacing(6)] @w-lg/main:[--thread-content-margin:--spacing(16)] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn" tabindex="-1"> <DIV class="flex max-w-full flex-col grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal [.text-message+&amp;]:mt-1" dir="auto" data-message-model-slug="gpt-5-2" data-message-id="a1a1c919-3d8c-4a78-80b5-64734cb92e75" data-message-author-role="assistant"> <DIV class="flex w-full flex-col gap-1 empty:hidden first:pt-[1px]"> <DIV class="markdown prose dark:prose-invert w-full wrap-break-word light markdown-new-styling"> <P data-end="277" data-start="0">The detailed 4-digit Windows patch level (known as the <STRONG data-end="86" data-start="55">Update Build Revision (UBR)</STRONG>) is not natively available as a standard, indexed field within the Cortex XDR/XSIAM management console or within standard Cortex Data Lake datasets (such as <CODE data-end="255" data-start="244">endpoints</CODE> or <CODE data-end="275" data-start="259">host_inventory</CODE>).</P> <P data-end="277" data-start="0">&nbsp;</P> <P data-end="488" data-start="279">By design, the platform synchronizes only the major OS build number (for example, <CODE data-end="373" data-start="361">10.0.22631</CODE>). The granular revision string changes frequently and is not considered critical for standard security monitoring.</P> <P data-end="488" data-start="279">&nbsp;</P> <H4 data-end="533" data-start="495">How to Retrieve the Full Patch Level:</H4> <H5 data-end="602" data-start="535">1. On-Demand Collection via Action Center (Recommended for Bulk):</H5> <P data-end="727" data-start="604">You can use the Action Center to run a remote command that gathers the full Windows version string from selected endpoints.</P> <H5 data-end="739" data-start="729">Steps:</H5> <OL data-end="1010" data-start="741"> <LI data-end="814" data-start="741"> <P data-end="814" data-start="744">Navigate to:<BR data-end="759" data-start="756" /><STRONG data-end="814" data-start="762">Incident and Response &gt; Response &gt; Action Center</STRONG></P> </LI> <LI data-end="878" data-start="816"> <P data-end="878" data-start="819">Click <STRONG data-end="841" data-start="825">+ New Action</STRONG> and select <STRONG data-end="877" data-start="853">Run Endpoint Scripts</STRONG>.</P> </LI> <LI data-end="937" data-start="880"> <P data-end="937" data-start="883">Search for and select the <STRONG data-end="929" data-start="909">execute_commands</STRONG> script.</P> </LI> <LI data-end="1010" data-start="939"> <P data-end="1010" data-start="942">In the <STRONG data-end="969" data-start="949">Script Parameter</STRONG> field, enter the native Windows command:&nbsp;&nbsp;<SPAN>ver</SPAN></P> </LI> </OL> <OL start="5" data-end="1241" data-start="1025"> <LI data-end="1071" data-start="1025"> <P data-end="1071" data-start="1028">Select your target hosts and click <STRONG data-end="1070" data-start="1063">Run</STRONG>.</P> </LI> <LI data-end="1241" data-start="1073"> <P data-end="1241" data-start="1076">After execution completes, the full version string (for example:<BR data-end="1143" data-start="1140" /><CODE data-end="1191" data-start="1146">Microsoft Windows [Version 10.0.22631.4317]</CODE>) will appear in the Action Center results column.</P> </LI> </OL> <P>&nbsp;</P> <H4 data-end="1285" data-start="1248">2. Live Terminal (Single Endpoint):</H4> <P data-end="1382" data-start="1287">For an individual endpoint, you can use Live Terminal and run the following PowerShell command:</P> <DIV class="relative w-full my-4"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border corner-superellipse/1.1 border-token-border-light bg-token-bg-elevated-secondary rounded-3xl"> <DIV class="corner-superellipse/1.1 rounded-3xl bg-token-bg-elevated-secondary"> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼ5 ͼj" dir="ltr"> <DIV class="cm-scroller"> <DIV class="cm-content q9tKkq_readonly"><SPAN>Get-ComputerInfo -Property WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer</SPAN></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV class=""> <DIV class="">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> <P data-end="1552" data-start="1483">This returns detailed OS version properties directly from the system.</P> <P data-end="1552" data-start="1483">&nbsp;</P> <H4 data-end="1608" data-start="1559">3. Agent Log Analysis (Troubleshooting Method):</H4> <P data-end="1768" data-start="1610">The revision number is also captured locally by the agent. It can be found in the <CODE data-end="1716" data-start="1692">cortex-xdr-payload.log</CODE> file under the <STRONG data-end="1763" data-start="1732">UBR (Update Build Revision)</STRONG> key.</P> <P data-end="1792" data-start="1770">Typical file location:</P> <DIV class="relative w-full my-4"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border corner-superellipse/1.1 border-token-border-light bg-token-bg-elevated-secondary rounded-3xl"> <DIV class="corner-superellipse/1.1 rounded-3xl bg-token-bg-elevated-secondary"> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼ5 ͼj" dir="ltr"> <DIV class="cm-scroller"> <DIV class="cm-content q9tKkq_readonly"><SPAN>C:\ProgramData\Cyvera\Logs\SandboxService\ClassificationEngine\cortex-xdr-payload.log</SPAN></DIV> <DIV class="cm-content q9tKkq_readonly">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <P data-end="2095" data-start="1889">Note: Accessing this file requires either manual retrieval from the endpoint or generating a <STRONG data-end="2009" data-start="1982">Tech Support File (TSF)</STRONG>. This method is generally used for troubleshooting rather than large-scale reporting.</P> <P data-end="2095" data-start="1889">&nbsp;</P> <P data-end="2095" data-start="1889"><STRONG>Summary</STRONG>:</P> <UL data-is-only-node="" data-is-last-node="" data-end="2430" data-start="2115"> <LI data-end="2182" data-start="2115"> <P data-end="2182" data-start="2117">The 4-digit Windows UBR is <STRONG data-end="2159" data-start="2144">not indexed</STRONG> in XDR/XSIAM datasets.</P> </LI> <LI data-end="2240" data-start="2183"> <P data-end="2240" data-start="2185">Only the major build number is synchronized by default.</P> </LI> <LI data-is-last-node="" data-end="2430" data-start="2241"> <P data-end="2279" data-start="2243">To obtain the full patch level, use:</P> <UL data-is-last-node="" data-end="2430" data-start="2282"> <LI data-end="2338" data-start="2282"> <P data-end="2338" data-start="2284"><STRONG data-end="2338" data-start="2284">Action Center (recommended for multiple endpoints)</STRONG></P> </LI> <LI data-end="2378" data-start="2341"> <P data-end="2378" data-start="2343"><STRONG data-end="2378" data-start="2343">Live Terminal (single endpoint)</STRONG></P> </LI> <LI data-is-last-node="" data-end="2430" data-start="2381"> <P data-is-last-node="" data-end="2430" data-start="2383"><STRONG data-is-last-node="" data-end="2430" data-start="2383">Agent log review (advanced troubleshooting)</STRONG></P> </LI> </UL> </LI> </UL> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </ARTICLE> </DIV> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Thu, 26 Feb 2026 14:04:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-data-lake-windows-11-build-amp-enablement-info/m-p/1249062#M9174 susekar 2026-02-26T14:04:43Z