This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Need to extract installed application.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Need to extract installed application.

OsamaKhan
L2 Linker

‎09-30-2021 09:53 AM

Hi,

 

I have queries regarding cortex XDR,

 

Does the cortex xdr provide application inventory counts?

 

We want to extract each and every application which is installed in all our network systems but with IP.

 

for e.g, 10.10.10.10 is a system IP, I want to extract how many other applications are installed in this particular IP.

 

From host insight, we get the list but we want with IP or user.

 

Thanks and Regards,
OK.
0 Likes Likes
1 REPLY 1

malalade
L2 Linker

‎09-30-2021 03:39 PM

Yes. There are multiple workarounds.
1. You can either use the "Endpoint Administration" Tab to get the equivalent "hostname" of the "IP Address"/"user" and then use "quick Launcher" on the top right to get the "Asset View" of the endpoint
Change the view to applications. That provide the list of application and the count

2. Alternatively, you can use XQL query. Target "Host Inventory" table
Note:

Agent_id is the primary key for the host inventory table. But you can execute the query with a filter such as
- host_name
- ip_addresses
- users
Also, note the timeframe specified because host inventory collection happens daily and you could have multiple counts


With IP Address

dataset = host_inventory
| filter ip_addresses = "10.10.10.10"
| arrayexpand applications
| alter apps = json_extract(applications, "$.application_name")
| fields apps


To make it a re-usable query, change the hardcoded IP Address to "$system_ip" and save it into your query library
Whenever you want to use the query, you will need to supply the target IP Address as the parameter. See attached screenshot


dataset = host_inventory
| filter ip_addresses = "$system_ip"
| arrayexpand applications
| alter apps = json_extract(applications, "$.application_name")
| fields apps

 

With User name

change the target_user e.g. Smith (case sensitive)

dataset = host_inventory
| arrayexpand users
| alter target_user = json_extract(users, "$.name")
| filter (target_user = "\"target_user\"")
| arrayexpand applications
| alter apps = json_extract(applications, "$.application_name")
| fields apps


For the count of applications per IP Address


dataset = host_inventory
| filter ip_addresses = "10.10.10.10"
| arrayexpand applications
| alter apps = json_extract(applications, "$.application_name")
| dedup apps by asc _time
| comp count(apps) as Counter by _time

Preview file
110 KB
  • 3873 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks