Browse Live Response and Discover Queries by Category
Approved

This query is one you are recommended to read the full content of the post to use. It is not simply a copy and paste query, like others in the forum. It is valuable in the right situation.

Live Discover Query to see the versions of any software installed on macOS

Hello Sophos Team,

I wanted a live discovery query that would retrieve the version of any software installed on macOS machines in my environment, as well as the hostname / IP of the machines.

The purpose of this query is to verify and patch all programs to the latest version and make sure there are no vulnerabilities affecting them.

Then, a result like Name, IP, version of the consulted software.

I appreciate the help you can give me.

JAIRO VALERIO ALFARO
  • in reply to RaviSoni

    Hi RaviSoni,
    Thank you very much for the quick answer.

    Really thank you very much for the help, this is excellent was what I was looking for.

    Thanks

  • in reply to RaviSoni

    You can search for any program with this query.

  • in reply to JAIRO VALERIO ALFARO

    Yes, this is correct. A better way is usage of wildcard '%'  to match the program name would be much easier in this case. You can put a condition for name, bundle_executable or bundle_name as well.

    For example,

    WHERE
    name LIKE '%Chrome%'
OR bundle_executable LIKE '%Chrome%'
OR bundle_name LIKE '%Chrome%'

    Here is the complete query ready to use.

    /* DEFINE VARIABLE IN CENTRAL */
-- VARIABLE    programName    STRING

SELECT 
   name,
   path,
   bundle_executable,
   bundle_identifier,
   bundle_name,
   bundle_short_version,
   bundle_version,
   display_name
FROM
   apps
WHERE 
   name LIKE '%$$programName$$%'
OR bundle_executable LIKE '%$$programName$$%'
OR bundle_name LIKE '%$$programName$$%'

  • in reply to RaviSoni

    Hi RaviSoni,


    Thank you very much for the quick answer.

    Query and if I wanted to validate the specific version of some software, how could the query be structured?

    I tried it this way with the Google Chrome example:

    SELECT
            name,
            path,
            bundle_executable,
            bundle_short_version
    FROM
           apps
    WHERE
           bundle_executable LIKE 'Google Chrome'

    I don't know if it's the right way to do it.

    Thanks.

  • Hi Jairo,

    You can run the below query and get the desired details of the installed app in macOS.

    SELECT 
   name,
   path,
   bundle_executable,
   bundle_identifier,
   bundle_name,
   bundle_short_version,
   bundle_version,
   display_name
FROM
   apps



    To get the machine IP details.

    SELECT
   friendly_name,
   interface,
   address,
   mask,
   broadcast,
   point_to_point,
   type
FROM 
    interface_addresses
WHERE 
    address LIKE '%.%.%.%' 
AND address <> '127.0.0.1'

Unfiltered HTML