07-02-2025 10:36 AM
Hi everyone,
I need your help.
I'm trying to create a CMDB using a playbook in Cortex XSOAR , pulling data from the Cortex XDR tab Asset Inventory (XDR-managed devices as well as others collected via mappers and IoT firewalls).
My idea is collect all asset information using XQL, but I haven't been able to identify which dataset contains this information.
Does anyone know if this is possible, or where that asset data might be stored?
Thanks in advance!
07-03-2025 05:57 AM - edited 07-03-2025 06:38 AM
Ola Tiago,
There is no dataset for the Asset Inventory page/table.
If you go to cogwheel settings click on configuration and then select Dataset Management option, you can filter the two datasets:
host_inventory
PANW_Network_Mapper_raw
You can pick up the information from those two datasets you can right click on them and see the fields within those two datasets.
I hope this helps
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
KR,
Luis
07-03-2025 07:26 AM
Hi @eluis ,
I remembered that — creating an XQL query with three datasets:
[dataset in (endpoints, panw_iot_security_devices_raw, panw_network_mapper_raw)] —
but I was wondering if there might be a single dataset that consolidates the "All Assets" information, hence my question.
What I’m currently trying to figure out is whether, for what I need to do (building a CMDB with this data), I should run the XQL queries separately or combined, in order to reduce duplicate entries, since I’ll need to pull data from endpoints, IoT, and mapper sources.
Once again, thank you for your help.
07-07-2025 09:34 AM
workaround found....i'm doing two querys:
//query iot devices
dataset in (panw_network_mapper_raw, panw_iot_security_devices_raw) |alter mac = lowercase( coalesce(mac, MAC) ), ip = coalesce(ip, ip_address) |fields hostname , mac, ip, vendor,profile, profile_type |filter mac not in (dataset = endpoints | fields mac_address | filter array_length(mac_address) > 0 | arrayexpand mac_address | alter mac_address = lowercase(mac_address)) | dedup MAC by desc _insert_time
//query endpointsXDR
dataset = endpoints
| fields endpoint_name, ip_address, mac_address, endpoint_id
| join type = left (
dataset = host_inventory
| fields host_name, ip_addresses, agent_id, manufacturer, model, serial_number, os_type, os_caption
) as hostinfo (endpoint_id = hostinfo.agent_id)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
