This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

XQL Question - Cortex > Host Inventory > Applications Result View

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XQL Question - Cortex > Host Inventory > Applications Result View

Go to solution
kenlacrosse
L1 Bithead

‎07-30-2025 04:31 PM

I'm assuming that the result set shown on the page for Host Inventory > Applications is the product of an XQL query that we could write in Query Builder.  I'm looking to, sort of, duplicate and modify that XQL.  Does anyone know if that query is available and what the query is or where it might be found if it is available?

 

Thanks

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
bonnie25hell
L0 Member

‎07-30-2025 11:36 PM

Yes, the XQL query for Host Inventory > Applications is available and can be found on the Palo Alto Networks LIVEcommunity. A common starting point for listing host inventory applications is:

`dataset = host_inventory | filter applications != null | arrayexpand applications | alter applications=json_extract(applications, "$.application_name"), software_vendor = json_extract(applications, "$.vendor"), software_verion = json_extract(applications, "$.version") | fields applications, host_name, software_vendor , software_verion`

This query can be modified in the Query Builder to suit specific needs, such as filtering for particular applications or vendors. You can also explore the `host_inventory` dataset schema in the Query Builder's Integrated Developer Environment (IDE) to discover other relevant fields.

MyKFCExperience Survey

View solution in original post

0 Likes Likes

Go to solution
jmazzeo
L5 Sessionator

‎07-31-2025 05:24 AM

Hi @kenlacrosse,

 

There is a preset with all the applications data:

 

preset = host_inventory_applications

 

Every part of the Inventory has it's own preset to work with XQL:

jmazzeo_0-1753964629327.png

 

If this post answers your question, please mark it as the solution.

JM

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
dustin85mark
L0 Member

‎07-30-2025 10:51 PM

Yes, the result set shown on the Host Inventory > Applications page in platforms like Cortex XDR or XSIAM is generally the product of an underlying XQL (XDR Query Language) query. While the exact query used by the UI is not typically exposed directly, you can replicate or approximate it using the Query Builder. By selecting the application_inventory dataset in Query Builder, you can construct a similar query to display application names, versions, paths, and hostnames. For example, a basic XQL query like dataset = application_inventory | fields agent_hostname, application_name, application_path, application_version | sort last_seen_time desc | limit 100 closely mirrors what you see on that page. To find the exact backend query, some users inspect browser network traffic using Developer Tools (F12), filtering for requests to endpoints like /query/execute or GraphQL, where parts of the query may be encoded. Additionally, if you want to enhance the query, you can join with the host_inventory dataset to include more host details like OS type and version. While Palo Alto doesn’t publish these UI queries openly, their official XQL documentation and Query Library provide many helpful starting points, and reaching out to their support team may yield further insight if needed.

my balance now
0 Likes Likes

Go to solution
bonnie25hell
L0 Member

‎07-30-2025 11:36 PM

Yes, the XQL query for Host Inventory > Applications is available and can be found on the Palo Alto Networks LIVEcommunity. A common starting point for listing host inventory applications is:

`dataset = host_inventory | filter applications != null | arrayexpand applications | alter applications=json_extract(applications, "$.application_name"), software_vendor = json_extract(applications, "$.vendor"), software_verion = json_extract(applications, "$.version") | fields applications, host_name, software_vendor , software_verion`

This query can be modified in the Query Builder to suit specific needs, such as filtering for particular applications or vendors. You can also explore the `host_inventory` dataset schema in the Query Builder's Integrated Developer Environment (IDE) to discover other relevant fields.

MyKFCExperience Survey
0 Likes Likes

Go to solution
jmazzeo
L5 Sessionator

‎07-31-2025 05:24 AM

Hi @kenlacrosse,

 

There is a preset with all the applications data:

 

preset = host_inventory_applications

 

Every part of the Inventory has it's own preset to work with XQL:

jmazzeo_0-1753964629327.png

 

If this post answers your question, please mark it as the solution.

JM
0 Likes Likes
  • 2 accepted solutions
  • 590 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks