This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

KB KB5022661

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KB KB5022661

M.Rivera653095
L0 Member

‎01-06-2026 06:53 AM

Hello,

Does anyone have a Cortex XDR query to check if any endpoints and/or servers are missing Microsoft KB5022661.  Any assistance would be greatly appreciated

0 Likes Likes
1 REPLY 1

susekar
L3 Networker

‎01-22-2026 09:04 AM

Hello @M.Rivera653095 ,

 

Greetings for the day.

 

To identify endpoints and servers missing Microsoft KB5022661, you can use Cortex XDR Query Language (XQL) to search through Host Inventory data. Identifying missing patches typically requires a negative search, where you compare the total list of endpoints against those that have the specific KB installed.

XQL Query: Identifying Missing KB5022661

The most reliable method is to perform a left join between the complete endpoints dataset and the host_inventory_kbs preset.

dataset = endpoints 
| filter endpoint_status != ENUM.CONNECTION_LOST
| join conflict_strategy = left type = left 
    (preset = host_inventory_kbs | filter hotfix_id == "KB5022661") as kbs 
    kbs.endpoint_id = endpoint_id
| alter found = if(kbs.hotfix_id != null, 1, 0)
| comp sum(found) as total_found by endpoint_name, endpoint_id
| filter total_found == 0
| fields endpoint_name, endpoint_id

Alternative XQL Method: Expanding the KB Array

You can also query the host_inventory dataset directly by expanding the kbs array and filtering for hosts where the target KB is not present:

dataset = host_inventory 
| fields agent_id, host_name, kbs
| arrayexpand kbs 
| alter kb_id = json_extract_scalar(to_json_string(kbs), "$.hotfix_id")
| alter is_target = if(kb_id == "KB5022661", 1, 0)
| comp sum(is_target) as kb_check by host_name, agent_id
| filter kb_check == 0

Alternative: Azure Code Signing (ACS) Diagnostic Script

KB5022661 is specifically required to support Azure Code Signing (ACS), which is a prerequisite for newer Cortex XDR agent versions (for example, 8.8 and above).

  • The test_acs Script:
    You can run the test_acs diagnostic script from the Cortex XDR script library on endpoints. If the script returns False, it confirms that the necessary ACS support (such as KB5022661 or a superseding update) is missing.

  • Result Visibility:
    Script execution results are stored in the Action Center and are not queryable natively via XQL by default. To query these results centrally, you would need to use XSOAR to retrieve the results via API and ingest them into a custom XQL dataset.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Happy New year!!

 

Thanks & Regards,
S. Subashkar Sekar

 

0 Likes Likes
  • 2191 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks