This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Datalake Query windows_programs with some empty "name" columns

I am playing around with the XDR Datalake. The goal is to use the XDR Datalake for our inventory. So we do not have manually update it.

I can get all installed software from the Datalake thanks to the query "windows_programs". However in this query there are a lot of entries with just a publisher name and not name for the actual software nor the version. Other entries are complete with the name of the software.

Is there a reason for that?

This thread was automatically locked due to age.
  • Hello,

    Sophos uses osquery for this information, the scheduled queries are defined in:

    C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.conf

    So in this case, the query is:

    FROM programs;

    It runs every 4 hours to collect this information.

    If you look at the page, you can see it has links to the schema for the version used by Sophos which is the same as the file version for the file "C:\Program Files\Sophos\Live Query\SophosOsquery.exe" and even the GitHub page to see the source.

    If you do install osquery, you can run the same query:

    Looking at the osquery code it just enumerates the uninstall keys so the data is based on the values stored by the installers.

    I hope this information helps.