Add Windows OS version to Windows programs (Data Lake) query

Hi all,

I'm trying to get the Windows OS version from the query "Windows programs (Data Lake)" query provided by Sophos. I have been looking the schema but I'm unable to get the information.

Please, see the query below and let me know if it is possible to modify it in order to get the OS version info.

SELECT
meta_hostname AS ep_name,
name,
version,
language,
install_source,
publisher,
identifying_number,
install_date
FROM xdr_data
WHERE query_name = 'windows_programs'

Thank you and regards,

Luis Miguel.



Message was not very well written.
[edited by: Luis Miguel Suarez Perez at 12:27 AM (GMT -7) on 6 Sep 2022]
Parents
  • Hi Luis,

    Thank you for posting.

    The correct category to view is under " Device: Hardware and operating system details"

    Here is the query 

    SELECT
        system_info.hostname,
        system_info.cpu_brand,
        system_info.cpu_type,
        system_info.physical_memory,
        system_info.hardware_vendor,
        system_info.hardware_model,
        system_info.hardware_serial,
        os_version.name AS os_name,
        os_version.version AS os_version,
        os_version.build,
        os_version.platform,
        os_version.patch,
        uptime.days AS uptime_days,
        uptime.hours AS uptime_hours,
        uptime.minutes AS uptime_minutes,
        uptime.total_seconds AS uptime_seconds,
        time.timezone AS system_timezone,
        time.timestamp AS system_formatted_timestamp,
        time.datetime AS system_current_time
    FROM system_info
    CROSS JOIN os_version
    CROSS JOIN uptime
    CROSS JOIN time

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

Reply
  • Hi Luis,

    Thank you for posting.

    The correct category to view is under " Device: Hardware and operating system details"

    Here is the query 

    SELECT
        system_info.hostname,
        system_info.cpu_brand,
        system_info.cpu_type,
        system_info.physical_memory,
        system_info.hardware_vendor,
        system_info.hardware_model,
        system_info.hardware_serial,
        os_version.name AS os_name,
        os_version.version AS os_version,
        os_version.build,
        os_version.platform,
        os_version.patch,
        uptime.days AS uptime_days,
        uptime.hours AS uptime_hours,
        uptime.minutes AS uptime_minutes,
        uptime.total_seconds AS uptime_seconds,
        time.timezone AS system_timezone,
        time.timestamp AS system_formatted_timestamp,
        time.datetime AS system_current_time
    FROM system_info
    CROSS JOIN os_version
    CROSS JOIN uptime
    CROSS JOIN time

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

Children