Hi @haimmiller ,
Thank you for writing to Live Community!
Cortex XDR vulnerability assessment shows you the list of KBs installed on the endpoints. However, it does not show the comparative analysis or assessment for latest KBs as KBs are provided by the vendors and we do not fetch the latest serials into XDR. However, you can list the KBs in couple of ways as listed below:
- Using Script Execution: If you do not have host insights license but have Cortex XDR Pro license enabled on endpoints, you can use the Cortex XDR script execution. Under category of "Execute Commands" you can run the following cmdline params "wmic qfe get HotfixID" you can also use "find" at the end of this command to filter by date/month/year or the latest KB number as per your choice(example below):. You can also get the result output of the script in form of a report.
|
wmic qfe get HotFixID | find "3004365"
|
- Using host insights based license and XQL: You can use the traditional host insights based dataset to query the list of installed KBs on endpoints using the following XQL query
dataset = host_inventory
| arrayexpand kbs
| filter host_name != null and os_type != ENUM.OS_LINUX
| alter hotfix = json_extract(kbs , "$.name")
| alter date = json_extract(kbs , "$.installation_date")
| alter header = json_extract(kbs , "$.title")
| fields host_name, hotfix, date, header
|
You can add filters of your choice under this to query the data for specific hostnames and also create a visual graph for the list of KBs as per your choice. (Example screenshot below)
Hope this helps!
Please mark the response as "Accept as Solution" if it was able to resolve your query.
Regards
