07-02-2024 07:24 AM
Hi,
I need to find which browsers the users using for daily tasks.
I'm looking for a XQL query for browsers installed or browsers in usage by the user + hostname,
The date that the app installed and the version is not so important as long as i get the browser name or vendor like chrome, Firefox etc.
I can provide browsers list to search for or any other way to find it.
I tried a few query but once I check the result it didn't was accrued.
B.Regards,
Ori
07-04-2024 03:08 AM
Hi @ori_stolero ,
Can you share what you have tried already ?
I was thinking something along these lines:
dataset = xdr_data
| filter lowercase(action_file_path) in ('c:\program files\google\chrome\application\chrome.exe',
'c:\program files\mozilla firefox\firefox.exe',
'c:\program files (x86)\microsoft\edge\application\msedge.exe',
'c:\program files\internet explorer\iexplore.exe',
'c:\program files\opera\launcher.exe',
'c:\program files\safari\safari.exe')
| fields agent_hostname, action_file_path, action_file_name, action_local_ip, action_remote_ip
This query filters the xdr_data dataset for specific paths where browser executables are typically located. The lowercase function ensures the path comparison is case-insensitive. You can add or modify paths according to the actual installation directories used in your environment.
The "fields agent_hostname, action_file_path, action_file_name, action_local_ip, action_remote_ip" specifies the fields to include in the output, such as the hostname, file path, file name, and local/remote IP addresses involved in the action.
Hope this helps,
-Kim.
07-04-2024 05:13 AM - edited 07-04-2024 05:24 AM
Hey,
Thank you for your reply,
The Issue is that if the application installed too long (for Ex a year ago) the query don't find it,
i tried to run this query for last month,
dataset = xdr_data
| filter lowercase(action_file_path) in ("C:\Users\Username\AppData\Local\Vivaldi\Application\Vivaldi.exe")
| fields agent_hostname, action_file_path, action_file_name, action_local_ip, action_remote_ip
But it didn't give any results.
Any Idea will be appreciated?
I query that I tried is this one;
**************************************************************
dataset = host_inventory
| filter applications != null
| arrayexpand applications
| alter applicationname=json_extract(applications, "$.application_name")
| alter applicationversion=json_extract(applications, "$.version")
| alter appvendor=json_extract(applications, "$.vendor")
| alter installdate=json_extract(applications, "$.install_date")
| alter applicationNameCount = "0" // create a new column called 'applicationnameC
| alter applicationNameCount = if (applicationname contains "Chrome", replace (applicationNameCount, "0" , "1" ), applicationNameCount ) // if application 1 is installed
| alter applicationNameCount = if (applicationname contains "Firefox", replace (applicationNameCount, "0", "2"), applicationNameCount ) // if application 2 is installed
| alter applicationNameCount = if (applicationname contains "brave", replace (applicationNameCount, "0" , "3" ), applicationNameCount ) // if application 3 is installed
| alter applicationNameCount = if (applicationname contains "edge", replace (applicationNameCount, "0" , "4" ), applicationNameCount ) // if application 4 is installed
| alter applicationNameCount = if (applicationname contains "Amigo", replace (applicationNameCount, "0" , "5" ), applicationNameCount ) // if application 5 is installed
| alter applicationNameCount = if (applicationname contains "Arc", replace (applicationNameCount, "0" , "6" ), applicationNameCount ) // if application 6 is installed
| alter applicationNameCount = if (applicationname contains "Chromium", replace (applicationNameCount, "0" , "7" ), applicationNameCount ) // if application 7 is installed
| alter applicationNameCount = if (applicationname contains "Vivaldi", replace (applicationNameCount, "0" , "8" ), applicationNameCount ) // if application 8 is installed
| alter applicationNameCount = if (applicationname contains "opera", replace (applicationNameCount, "0" , "9" ), applicationNameCount ) // if application 9 is installed
| alter applicationNameCount = if (applicationname contains "safari", replace (applicationNameCount, "0" , "10" ), applicationNameCount ) // if application 10 is installed
| alter applicationNameCount = if (applicationname contains "Tor", replace (applicationNameCount, "0" , "11" ), applicationNameCount ) // if application 11 is installed
| alter applicationNameCount = if (applicationname contains "Sogou", replace (applicationNameCount, "0" , "12" ), applicationNameCount ) // if application 12 is installed
| alter applicationNameCount = if (applicationname contains "QQ", replace (applicationNameCount, "0" , "13" ), applicationNameCount ) // if application 13 is installed
| alter applicationNameCount = if (applicationname contains "Yandex", replace (applicationNameCount, "0" , "14" ), applicationNameCount ) // if application 14 is installed
| alter applicationNameCount = if (applicationname contains "Baidu", replace (applicationNameCount, "0" , "15" ), applicationNameCount ) // if application 15 is installed
| alter applicationNameCount = if (applicationname contains "Amigo", replace (applicationNameCount, "0" , "16" ), applicationNameCount ) // if application 16 is installed
| alter applicationNameCount = if (applicationname contains "uc", replace (applicationNameCount, "0" , "17" ), applicationNameCount ) // if application 16 is installed
| comp sum (to_integer(applicationNameCount)) as appInstalled by host_name
**************************************************************
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
