New to the data lake - Is it possible to get the revision of windows, as well as the build number?

Hi, im just wondering if the revision of a windows machine is also uploaded to the datalake. I have had a look at the schema and i cannot see it contained within it. If it its not in the datalake, can it be live queried from a machine?

Brian Adgey

Qoosh over 1 year ago

Hi Brian,

I've moved this over to the Live Discover and Response query forum to better fit your question.

Let me know if the in-built query "Devices > Hardware and operating system details" contains the information you're looking for. Some of the fields I was able to gather are as follows:

epName, hostname, cpu_brand, cpu_type, physical_memory, hardware_vendor, hardware_model, hardware_serial, os_name, os_version, build, platform, patch, uptime_days, uptime_hours, uptime_minutes, uptime_seconds, system_timezone, system_formatted_timestamp, system_current_time.

Here are some of the values returned, let me know if this is relevant.
os_version = 10.0.18363
build = 18363

Sophos also uses the osquery schema. For this specific in-built-query, the "system_info" table was queried
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

New to the data lake - Is it possible to get the revision of windows, as well as the build number?