I am playing around with the XDR Datalake. The goal is to use the XDR Datalake for our inventory. So we do not have manually update it.
I can get all installed software from the Datalake thanks to the query "windows_programs". However in this query there are a lot of entries with just a publisher name and not name for the actual software nor the version. Other entries are complete with the name of the software.
Is there a reason for that?
Hello,
Sophos uses osquery for this information, the scheduled queries are defined in:
C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.conf
So in this case, the query is:
SELECT
name,
version,
language,
install_source,
publisher,
identifying_number,
install_date
FROM programs;
It runs every 4 hours to collect this information.
If you look at the https://www.osquery.io/ page, you can see it has links to the schema for the version used by Sophos which is the same as the file version for the file "C:\Program Files\Sophos\Live Query\SophosOsquery.exe" and even the GitHub page to see the source.
If you do install osquery, you can run the same query:
Looking at the osquery code it just enumerates the uninstall keys so the data is based on the values stored by the installers.
I hope this information helps.