This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Cortex Data Lake - Windows 11 Build & Enablement(?) Info

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex Data Lake - Windows 11 Build & Enablement(?) Info

kenlacrosse
L1 Bithead

‎11-11-2025 04:15 PM

Windows 11 (and 10 presumably) has a series of numbers which, together, identify the build and patch level of the OS.  This would be a combination of Version: Windows 11 and/or Build Number: 10.0.22631.  The Patch Level (or Enablement Level) is shown by an additional 4 digit number at the end of the Build Number like Windows Build 10.0.22631.4317.  In the Cortex Data Lake I can find all this, in the Operating System and OS Version fields, except for the Patch/Enablement 4 digit number. Does this exist in the Cortex Data Lake and, if so, how would I get it?

0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎02-26-2026 06:04 AM

Hello @kenlacrosse ,

 

Greetings for the day.

 

The detailed 4-digit Windows patch level (known as the Update Build Revision (UBR)) is not natively available as a standard, indexed field within the Cortex XDR/XSIAM management console or within standard Cortex Data Lake datasets (such as endpoints or host_inventory).

 

By design, the platform synchronizes only the major OS build number (for example, 10.0.22631). The granular revision string changes frequently and is not considered critical for standard security monitoring.

 

How to Retrieve the Full Patch Level:

1. On-Demand Collection via Action Center (Recommended for Bulk):

You can use the Action Center to run a remote command that gathers the full Windows version string from selected endpoints.

Steps:

  1. Navigate to:
    Incident and Response > Response > Action Center

  2. Click + New Action and select Run Endpoint Scripts.

  3. Search for and select the execute_commands script.

  4. In the Script Parameter field, enter the native Windows command:  ver

  1. Select your target hosts and click Run.

  2. After execution completes, the full version string (for example:
    Microsoft Windows [Version 10.0.22631.4317]) will appear in the Action Center results column.

 

2. Live Terminal (Single Endpoint):

For an individual endpoint, you can use Live Terminal and run the following PowerShell command:

Get-ComputerInfo -Property WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer
 

This returns detailed OS version properties directly from the system.

 

3. Agent Log Analysis (Troubleshooting Method):

The revision number is also captured locally by the agent. It can be found in the cortex-xdr-payload.log file under the UBR (Update Build Revision) key.

Typical file location:

C:\ProgramData\Cyvera\Logs\SandboxService\ClassificationEngine\cortex-xdr-payload.log
 

Note: Accessing this file requires either manual retrieval from the endpoint or generating a Tech Support File (TSF). This method is generally used for troubleshooting rather than large-scale reporting.

 

Summary:

  • The 4-digit Windows UBR is not indexed in XDR/XSIAM datasets.

  • Only the major build number is synchronized by default.

  • To obtain the full patch level, use:

    • Action Center (recommended for multiple endpoints)

    • Live Terminal (single endpoint)

    • Agent log review (advanced troubleshooting)

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 761 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks