https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kb-kb5022661/m-p/1244968#M8990 <P>Hello,</P> <P>Does anyone have a Cortex XDR query to check if any endpoints and/or servers are missing Microsoft KB5022661.&nbsp; Any assistance would be greatly appreciated</P> Tue, 06 Jan 2026 14:53:09 GMT M.Rivera653095 2026-01-06T14:53:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kb-kb5022661/m-p/1244968#M8990 <P>Hello,</P> <P>Does anyone have a Cortex XDR query to check if any endpoints and/or servers are missing Microsoft KB5022661.&nbsp; Any assistance would be greatly appreciated</P> Tue, 06 Jan 2026 14:53:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kb-kb5022661/m-p/1244968#M8990 M.Rivera653095 2026-01-06T14:53:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kb-kb5022661/m-p/1246292#M9036 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/624549139">@M.Rivera653095</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>To identify endpoints and servers missing Microsoft KB5022661, you can use <STRONG>Cortex XDR Query Language (XQL)</STRONG> to search through Host Inventory data. Identifying missing patches typically requires a <EM>negative search</EM>, where you compare the total list of endpoints against those that have the specific KB installed.</P> <HR /> <H4>XQL Query: Identifying Missing KB5022661</H4> <P>The most reliable method is to perform a <STRONG>left join</STRONG> between the complete endpoints dataset and the <CODE>host_inventory_kbs</CODE> preset.</P> <PRE><CODE class="language-xql">dataset = endpoints | filter endpoint_status != ENUM.CONNECTION_LOST | join conflict_strategy = left type = left (preset = host_inventory_kbs | filter hotfix_id == "KB5022661") as kbs kbs.endpoint_id = endpoint_id | alter found = if(kbs.hotfix_id != null, 1, 0) | comp sum(found) as total_found by endpoint_name, endpoint_id | filter total_found == 0 | fields endpoint_name, endpoint_id </CODE></PRE> <HR /> <H4>Alternative XQL Method: Expanding the KB Array</H4> <P>You can also query the <CODE>host_inventory</CODE> dataset directly by expanding the <CODE>kbs</CODE> array and filtering for hosts where the target KB is not present:</P> <PRE><CODE class="language-xql">dataset = host_inventory | fields agent_id, host_name, kbs | arrayexpand kbs | alter kb_id = json_extract_scalar(to_json_string(kbs), "$.hotfix_id") | alter is_target = if(kb_id == "KB5022661", 1, 0) | comp sum(is_target) as kb_check by host_name, agent_id | filter kb_check == 0 </CODE></PRE> <HR /> <H4>Alternative: Azure Code Signing (ACS) Diagnostic Script</H4> <P>KB5022661 is specifically required to support Azure Code Signing (ACS), which is a prerequisite for newer Cortex XDR agent versions (for example, 8.8 and above).</P> <UL> <LI> <P><STRONG>The <CODE>test_acs</CODE> Script:</STRONG><BR />You can run the <CODE>test_acs</CODE> diagnostic script from the Cortex XDR script library on endpoints. If the script returns <CODE>False</CODE>, it confirms that the necessary ACS support (such as KB5022661 or a superseding update) is missing.</P> </LI> <LI> <P><STRONG>Result Visibility:</STRONG><BR />Script execution results are stored in the <STRONG>Action Center</STRONG> and are not queryable natively via XQL by default. To query these results centrally, you would need to use XSOAR to retrieve the results via API and ingest them into a custom XQL dataset.</P> </LI> </UL> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;"mark this as a Solution".</P> <P>&nbsp;</P> <P>Happy New year!!</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> Thu, 22 Jan 2026 17:04:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/kb-kb5022661/m-p/1246292#M9036 susekar 2026-01-22T17:04:33Z