Live Discover - Patches Applied (Windows)

Hello,

The current query for "Patches applied" lists all the patches applied, but does not include patches applied via MSI or downloaded from Windows Update.

Query:

SELECT
hotfix_id,
description,
installed_by,
installed_on
FROM patches

Is there any way to edit the query so that it includes all the patches even those via MSI or downloaded from Windows Update ?

Thank you

Selvinen VENCATAKISTNEN

Top Comments

Qoosh over 1 year ago +1

Hi Selvinen , Thanks for reaching out to the Sophos Community Forum. It looks like the table you're querying is sourced from the osquery schema. You can find this mentioned on the following page. - osquery…

Qoosh over 1 year ago

Hi Selvinen,

Thanks for reaching out to the Sophos Community Forum.

It looks like the table you're querying is sourced from the osquery schema. You can find this mentioned on the following page.
- osquery.io/.../5.4.0

I see a couple of different tables are referenced on the following page, namely "pending_windows_updates_patch" and "windows_updates_patch". Will either of these work for your needs?
- doc.sophos.com/.../index.html

I've moved your post over to the Live Discover section of our forum to better assist.
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Live Discover - Patches Applied (Windows)

Top Comments