Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Need to extract installed application.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Need to extract installed application.

L2 Linker

Hi,

 

I have queries regarding cortex XDR,

 

Does the cortex xdr provide application inventory counts?

 

We want to extract each and every application which is installed in all our network systems but with IP.

 

for e.g, 10.10.10.10 is a system IP, I want to extract how many other applications are installed in this particular IP.

 

From host insight, we get the list but we want with IP or user.

 

Thanks and Regards,
OK.
1 REPLY 1

L2 Linker

Yes. There are multiple workarounds.
1. You can either use the "Endpoint Administration" Tab to get the equivalent "hostname" of the "IP Address"/"user" and then use "quick Launcher" on the top right to get the "Asset View" of the endpoint
Change the view to applications. That provide the list of application and the count

2. Alternatively, you can use XQL query. Target "Host Inventory" table
Note:

Agent_id is the primary key for the host inventory table. But you can execute the query with a filter such as
- host_name
- ip_addresses
- users
Also, note the timeframe specified because host inventory collection happens daily and you could have multiple counts


With IP Address

dataset = host_inventory
| filter ip_addresses = "10.10.10.10"
| arrayexpand applications
| alter apps = json_extract(applications, "$.application_name")
| fields apps


To make it a re-usable query, change the hardcoded IP Address to "$system_ip" and save it into your query library
Whenever you want to use the query, you will need to supply the target IP Address as the parameter. See attached screenshot


dataset = host_inventory
| filter ip_addresses = "$system_ip"
| arrayexpand applications
| alter apps = json_extract(applications, "$.application_name")
| fields apps

 

With User name

change the target_user e.g. Smith (case sensitive)

dataset = host_inventory
| arrayexpand users
| alter target_user = json_extract(users, "$.name")
| filter (target_user = "\"target_user\"")
| arrayexpand applications
| alter apps = json_extract(applications, "$.application_name")
| fields apps


For the count of applications per IP Address


dataset = host_inventory
| filter ip_addresses = "10.10.10.10"
| arrayexpand applications
| alter apps = json_extract(applications, "$.application_name")
| dedup apps by asc _time
| comp count(apps) as Counter by _time

  • 3823 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!