https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlating-a-file-path-to-application-inventory/m-p/1247897#M9120 <P>Hello,&nbsp;</P> <P>&nbsp;</P> <P>I am gathering an application inventory for endpoints in our environment. As part of this inventory, I'd like to include the install path for these applications. Currently Host Inventory XQL dataset only showcases uninstall strings in the applications field. Assistance in correlating an install path via joining datasets or something similar would be greatly appreciated.</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 10 Feb 2026 21:05:12 GMT K.Murphy009035 2026-02-10T21:05:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlating-a-file-path-to-application-inventory/m-p/1247897#M9120 <P>Hello,&nbsp;</P> <P>&nbsp;</P> <P>I am gathering an application inventory for endpoints in our environment. As part of this inventory, I'd like to include the install path for these applications. Currently Host Inventory XQL dataset only showcases uninstall strings in the applications field. Assistance in correlating an install path via joining datasets or something similar would be greatly appreciated.</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 10 Feb 2026 21:05:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlating-a-file-path-to-application-inventory/m-p/1247897#M9120 K.Murphy009035 2026-02-10T21:05:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlating-a-file-path-to-application-inventory/m-p/1247934#M9122 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1153168243">@K.Murphy009035</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>To correlate an installation path with your application inventory, you can perform a join between the Host Inventory data (which contains the static list of installed software) and the XDR Data dataset (which captures real-time process execution telemetry including the file path).</P> <P>&nbsp;</P> <P>While the <CODE>host_inventory</CODE> dataset primarily focuses on application metadata like names, versions, and uninstall strings, the <CODE>xdr_data</CODE> dataset records the actual <CODE>action_process_image_path</CODE> when an application's process is executed on an endpoint.</P> <P>&nbsp;</P> <P><STRONG>Recommended XQL Query:</STRONG></P> <P>&nbsp;</P> <P>The following query filters for process execution events in <CODE>xdr_data</CODE> to retrieve the file path and then joins that data with the <CODE>host_inventory_applications</CODE> preset to enrich it with inventory details:</P> <P>&nbsp;</P> <PRE><CODE class="language-sql">config case_sensitive = false | dataset = xdr_data // 1. Filter for process events to identify the execution path | filter event_type = ENUM.PROCESS | fields agent_hostname, action_process_image_name, action_process_image_path, action_process_signature_product // 2. Reduce the results to unique host/application pairs | dedup agent_hostname, action_process_image_name // 3. Join with Host Inventory to correlate with the installed application list | join type = left ( preset = host_inventory_applications | fields endpoint_name, application_name, version, vendor ) as inv inv.endpoint_name = agent_hostname and inv.application_name contains action_process_image_name // 4. Display the inventory name along with the identified install path | fields agent_hostname, inv.application_name, inv.version, action_process_image_path, inv.vendor </CODE></PRE> <P><STRONG>Key Components of the Solution:</STRONG></P> <P><CODE>action_process_image_path</CODE>: This field from the <CODE>xdr_data</CODE> dataset provides the full directory path to the executable.</P> <P><CODE>host_inventory_applications</CODE>: This is the recommended preset for retrieving a comprehensive list of installed programs, including version and vendor information.</P> <P><CODE>join</CODE> Stage: Correlates the hostname and application name between the two datasets to map the execution path to the inventory record.</P> <P>&nbsp;</P> <P><STRONG>Important Considerations:</STRONG></P> <P>&nbsp;</P> <P><STRONG>Host Insights Licensing</STRONG>: Accessing the <CODE>host_inventory</CODE> dataset and the <CODE>host_inventory_applications</CODE> preset requires an active Host Insights add-on license and must be enabled in your Agent Settings profile.</P> <P><STRONG>Data Population:</STRONG> The <CODE>xdr_data</CODE> portion of the query only returns paths for applications that have actually run on the endpoint. If an application is installed but has never been executed, the path will not appear in <CODE>xdr_data</CODE>.</P> <P><STRONG>JSON Expansion:</STRONG> If you wish to manually inspect all fields within the <CODE>host_inventory</CODE> application array (including the uninstall string you mentioned), you can use the <CODE>arrayexpand</CODE> and <CODE>json_extract</CODE> functions:</P> <PRE><CODE class="language-sql">dataset = host_inventory | arrayexpand applications | alter app_name = json_extract(applications, "$.application_name"), uninstall_string = json_extract(applications, "$.uninstall_string") | fields host_name, app_name, uninstall_string </CODE></PRE> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 11 Feb 2026 13:39:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlating-a-file-path-to-application-inventory/m-p/1247934#M9122 susekar 2026-02-11T13:39:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlating-a-file-path-to-application-inventory/m-p/1248058#M9128 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/241098">@susekar</a>&nbsp;,</P> <P>&nbsp;</P> <P>The query required some altering to fit my needs. But the join logic was extremely insightful. Thank you for the well-crafted response.&nbsp;</P> Thu, 12 Feb 2026 23:15:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlating-a-file-path-to-application-inventory/m-p/1248058#M9128 K.Murphy009035 2026-02-12T23:15:34Z