04-19-2022 09:39 AM
Hello @PankajThakre,
As far as I know, the way to do this is to have an XDR Pro license for your endpoints and have the Host Insights add-on.
With that, you have the inventory of apps installed on each of your endpoints where the Cortex XDR agent is installed and has the Enable Host insights capabilities in your agent settings.
You will then be able to access the inventory from the UI under Assets > Vulnerability Assessment > Host inventory > Applications
Direct link:
https://<yourCortexTenant>.xdr.<countrycode>.paloaltonetworks.com/host-insights/apps/apps-only
You can also query the info with the following XQL query:
*************************************
dataset = host_inventory
| arrayexpand applications
| alter software = json_extract(applications, "$.application_name"), install_date = json_extract(applications, "$.install_date"), version = json_extract(applications, "$.version")
| filter applications contains $Software
| fields host_name, software, version, install_date
*************************************
$Software is a variable that if you save in your Query Library, it will ask you for the software that you want to search for. You can replace that with whatever you want to search for.
Hope that helps.
Thanks
LD
