This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Datalake Query windows_programs with some empty "name" columns

I am playing around with the XDR Datalake. The goal is to use the XDR Datalake for our inventory. So we do not have manually update it.

I can get all installed software from the Datalake thanks to the query "windows_programs". However in this query there are a lot of entries with just a publisher name and not name for the actual software nor the version. Other entries are complete with the name of the software.

Is there a reason for that?



This thread was automatically locked due to age.
  • Hello,

    Sophos uses osquery for this information, the scheduled queries are defined in:

    C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.conf

    So in this case, the query is:

    SELECT
        name,
        version,
        language,
        install_source,
        publisher,
        identifying_number,
        install_date
    FROM programs;
    

    It runs every 4 hours to collect this information.

    If you look at the https://www.osquery.io/ page, you can see it has links to the schema for the version used by Sophos which is the same as the file version for the file "C:\Program Files\Sophos\Live Query\SophosOsquery.exe" and even the GitHub page to see the source.

    If you do install osquery, you can run the same query:

    Looking at the osquery code it just enumerates the uninstall keys so the data is based on the values stored by the installers.

    I hope this information helps.