Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 14 subscribers
  • Views 834 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Datalake Query windows_programs with some empty "name" columns

Philippe Hirzel

I am playing around with the XDR Datalake. The goal is to use the XDR Datalake for our inventory. So we do not have manually update it.

I can get all installed software from the Datalake thanks to the query "windows_programs". However in this query there are a lot of entries with just a publisher name and not name for the actual software nor the version. Other entries are complete with the name of the software.

Is there a reason for that?



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    Sophos uses osquery for this information, the scheduled queries are defined in:

    C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.conf

    So in this case, the query is:

    SELECT
    name,
    version,
    language,
    install_source,
    publisher,
    identifying_number,
    install_date
FROM programs;

    It runs every 4 hours to collect this information.

    If you look at the https://www.osquery.io/ page, you can see it has links to the schema for the version used by Sophos which is the same as the file version for the file "C:\Program Files\Sophos\Live Query\SophosOsquery.exe" and even the GitHub page to see the source.

    If you do install osquery, you can run the same query:

    Looking at the osquery code it just enumerates the uninstall keys so the data is based on the values stored by the installers.

    I hope this information helps.

Reply
  • 0

    Hello,

    Sophos uses osquery for this information, the scheduled queries are defined in:

    C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.conf

    So in this case, the query is:

    SELECT
    name,
    version,
    language,
    install_source,
    publisher,
    identifying_number,
    install_date
FROM programs;

    It runs every 4 hours to collect this information.

    If you look at the https://www.osquery.io/ page, you can see it has links to the schema for the version used by Sophos which is the same as the file version for the file "C:\Program Files\Sophos\Live Query\SophosOsquery.exe" and even the GitHub page to see the source.

    If you do install osquery, you can run the same query:

    Looking at the osquery code it just enumerates the uninstall keys so the data is based on the values stored by the installers.

    I hope this information helps.

Children
No Data
Unfiltered HTML