04-19-2022 09:39 AM
Hello @PankajThakre,
As far as I know, the way to do this is to have an XDR Pro license for your endpoints and have the Host Insights add-on.
With that, you have the inventory of apps installed on each of your endpoints where the Cortex XDR agent is installed and has the Enable Host insights capabilities in your agent settings.
You will then be able to access the inventory from the UI under Assets > Vulnerability Assessment > Host inventory > Applications
Direct link:
https://<yourCortexTenant>.xdr.<countrycode>.paloaltonetworks.com/host-insights/apps/apps-only
You can also query the info with the following XQL query:
*************************************
dataset = host_inventory
| arrayexpand applications
| alter software = json_extract(applications, "$.application_name"), install_date = json_extract(applications, "$.install_date"), version = json_extract(applications, "$.version")
| filter applications contains $Software
| fields host_name, software, version, install_date
*************************************
$Software is a variable that if you save in your Query Library, it will ask you for the software that you want to search for. You can replace that with whatever you want to search for.
Hope that helps.
Thanks
LD
04-19-2022 09:39 AM
Hello @PankajThakre,
As far as I know, the way to do this is to have an XDR Pro license for your endpoints and have the Host Insights add-on.
With that, you have the inventory of apps installed on each of your endpoints where the Cortex XDR agent is installed and has the Enable Host insights capabilities in your agent settings.
You will then be able to access the inventory from the UI under Assets > Vulnerability Assessment > Host inventory > Applications
Direct link:
https://<yourCortexTenant>.xdr.<countrycode>.paloaltonetworks.com/host-insights/apps/apps-only
You can also query the info with the following XQL query:
*************************************
dataset = host_inventory
| arrayexpand applications
| alter software = json_extract(applications, "$.application_name"), install_date = json_extract(applications, "$.install_date"), version = json_extract(applications, "$.version")
| filter applications contains $Software
| fields host_name, software, version, install_date
*************************************
$Software is a variable that if you save in your Query Library, it will ask you for the software that you want to search for. You can replace that with whatever you want to search for.
Hope that helps.
Thanks
LD
04-20-2022 01:19 AM
Hello LD,
Thanks for the quick reply
Also I found a article where we can find software inventory information in the TSF logs of the individual agent. There is a file that is called "InstalledAppsList.txt" that is stored when downloading the TSF.
Regards
Pankaj Thakre
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
