export/view information about Windows endpoints missing with KB

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

export/view information about Windows endpoints missing with KB

L0 Member

Hi,

 

I'd like to know how I can export/view information about Windows endpoints that do not apply with specific KB by specific ENDPOINT GROUPS. I can only filter by CVES or ENDPOINTS from the Vulnerability Assessment but not with KBs.

My second question is there a way to query if, for example, a Windows endpoint is not applied with the latest cumulative KB/older KBs?

 

Thanks

 

2 REPLIES 2

L5 Sessionator

Hi @haimmiller ,

 

Thank you for writing to Live Community!

 

Cortex XDR vulnerability assessment shows you the list of KBs installed on the endpoints. However, it does not show the comparative analysis or assessment for latest KBs as KBs are provided by the vendors and we do not fetch the latest serials into XDR. However, you can list the KBs in couple of ways as listed below:

  1. Using Script Execution: If you do not have host insights license but have Cortex XDR Pro license enabled on endpoints, you can use the Cortex XDR script execution. Under category of "Execute Commands" you can run the following cmdline params "wmic qfe get HotfixID" you can also use "find" at the end of this command to filter by date/month/year or the latest KB number as per your choice(example below):. You can also get the result output of the script in form of a report.

    wmic qfe get HotFixID | find "3004365"


    neelrohit_0-1675680734329.png

     

  2.  Using host insights based license and XQL: You can use the traditional host insights based dataset to query the list of installed KBs on endpoints using the following XQL query
    dataset = host_inventory 
    | arrayexpand kbs 
    | filter host_name != null and os_type != ENUM.OS_LINUX 
    | alter hotfix = json_extract(kbs , "$.name")
    | alter date = json_extract(kbs , "$.installation_date")
    | alter header = json_extract(kbs , "$.title")
    | fields host_name, hotfix, date, header

You can add filters of your choice under this to query the data for specific hostnames and also create a visual graph for the list of KBs as per your choice. (Example screenshot below)

Screenshot 2023-02-06 at 6.30.37 PM.png

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it was able to resolve your query.

 

Regards

Thanks for the info. I'll try it.

  • 1113 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!