Can we check via cortex XDR which are systems have any specific software installed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can we check via cortex XDR which are systems have any specific software installed

L1 Bithead

Can we check via cortex XDR which are systems have any specific software installed

1 accepted solution

Accepted Solutions

L2 Linker

Hello @PankajThakre,

 

As far as I know, the way to do this is to have an XDR Pro license for your endpoints and have the Host Insights add-on.

 

With that, you have the inventory of apps installed on each of your endpoints where the Cortex XDR agent is installed and has the Enable Host insights capabilities in your agent settings.

 

You will then be able to access the inventory from the UI under Assets > Vulnerability Assessment > Host inventory > Applications

Direct link:

https://<yourCortexTenant>.xdr.<countrycode>.paloaltonetworks.com/host-insights/apps/apps-only

 

You can also query the info with the following XQL query:

*************************************

dataset = host_inventory
| arrayexpand applications
| alter software = json_extract(applications, "$.application_name"), install_date = json_extract(applications, "$.install_date"), version = json_extract(applications, "$.version")
| filter applications contains $Software
| fields host_name, software, version, install_date

*************************************

 

$Software is a variable that if you save in your Query Library, it will ask you for the software that you want to search for. You can replace that with whatever you want to search for.

 

Hope that helps.

 

Thanks

LD

 

 

View solution in original post

2 REPLIES 2

L2 Linker

Hello @PankajThakre,

 

As far as I know, the way to do this is to have an XDR Pro license for your endpoints and have the Host Insights add-on.

 

With that, you have the inventory of apps installed on each of your endpoints where the Cortex XDR agent is installed and has the Enable Host insights capabilities in your agent settings.

 

You will then be able to access the inventory from the UI under Assets > Vulnerability Assessment > Host inventory > Applications

Direct link:

https://<yourCortexTenant>.xdr.<countrycode>.paloaltonetworks.com/host-insights/apps/apps-only

 

You can also query the info with the following XQL query:

*************************************

dataset = host_inventory
| arrayexpand applications
| alter software = json_extract(applications, "$.application_name"), install_date = json_extract(applications, "$.install_date"), version = json_extract(applications, "$.version")
| filter applications contains $Software
| fields host_name, software, version, install_date

*************************************

 

$Software is a variable that if you save in your Query Library, it will ask you for the software that you want to search for. You can replace that with whatever you want to search for.

 

Hope that helps.

 

Thanks

LD

 

 

Hello LD,

 

Thanks for the quick reply 

 

Also I found a article where we can find software inventory information in the TSF logs of the individual agent. There is a file that is called "InstalledAppsList.txt" that is stored when downloading the TSF.

 

Regards

Pankaj Thakre

  • 1 accepted solution
  • 4676 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!