Browse Live Discover and Response Queries by Category
Approved

This query is one you are recommended to read the full content of the post to use. It is not simply a copy and paste query, like others in the forum. It is valuable in the right situation.

Sign in to vote on ideas
0
Sign in to vote on ideas

Live Discover Query to see the versions of any software installed on macOS

Hello Sophos Team,

I wanted a live discovery query that would retrieve the version of any software installed on macOS machines in my environment, as well as the hostname / IP of the machines.

The purpose of this query is to verify and patch all programs to the latest version and make sure there are no vulnerabilities affecting them.

Then, a result like Name, IP, version of the consulted software.

I appreciate the help you can give me.

JAIRO VALERIO ALFARO
  • 5 comments
  • 0 members are here

  • Hi Jairo,

    You can run the below query and get the desired details of the installed app in macOS.

    Fullscreen
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    SELECT
    name,
    path,
    bundle_executable,
    bundle_identifier,
    bundle_name,
    bundle_short_version,
    bundle_version,
    display_name
    FROM
    apps
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX



    To get the machine IP details.

    Fullscreen
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    SELECT
    friendly_name,
    interface,
    address,
    mask,
    broadcast,
    point_to_point,
    type
    FROM
    interface_addresses
    WHERE
    address LIKE '%.%.%.%'
    AND address <> '127.0.0.1'
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    • in reply to RaviSoni

      Hi RaviSoni,


      Thank you very much for the quick answer.

      Query and if I wanted to validate the specific version of some software, how could the query be structured?

      I tried it this way with the Google Chrome example:

      SELECT
              name,
              path,
              bundle_executable,
              bundle_short_version
      FROM
             apps
      WHERE
             bundle_executable LIKE 'Google Chrome'

      I don't know if it's the right way to do it.

      Thanks.

      • in reply to RaviSoni

        Hi RaviSoni,
        Thank you very much for the quick answer.

        Really thank you very much for the help, this is excellent was what I was looking for.

        Thanks

        • in reply to RaviSoni

          You can search for any program with this query.

          • in reply to JAIRO VALERIO ALFARO

            Yes, this is correct. A better way is usage of wildcard '%'  to match the program name would be much easier in this case. You can put a condition for name, bundle_executable or bundle_name as well.

            For example,

            Fullscreen
            1
            2
            3
            4
            WHERE
            name LIKE '%Chrome%'
            OR bundle_executable LIKE '%Chrome%'
            OR bundle_name LIKE '%Chrome%'
            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

            Here is the complete query ready to use.

            Fullscreen
            1
            2
            3
            4
            5
            6
            7
            8
            9
            10
            11
            12
            13
            14
            15
            16
            17
            18
            /* DEFINE VARIABLE IN CENTRAL */
            -- VARIABLE programName STRING
            SELECT
            name,
            path,
            bundle_executable,
            bundle_identifier,
            bundle_name,
            bundle_short_version,
            bundle_version,
            display_name
            FROM
            apps
            WHERE
            name LIKE '%$$programName$$%'
            OR bundle_executable LIKE '%$$programName$$%'
            OR bundle_name LIKE '%$$programName$$%'
            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX