NetWitness Community

MichailPiskoun · ‎2019-06-12

Is there an easy way to check which Microsoft KB's are installed using the RSA Endpoint agents? I can see installed Windows Patches under System Information in Hosts for a specific device, but I can't seem to find a way to search for a specific KB, and possibly get a list of hosts that have that installed (or not) without checking every host individually. Does this kind of functionality exist in 11.3?

JoshRandall · ‎2019-06-12

"Easy” may be a relative term, but this information is in the endpoint hybrid's mongoDB, so you can query for it from the CLI.

Run these commands from the admin server. If you want the results written to file, you would include "--out /path/to/filename” in the second command. Also FYI, the first command will take a few seconds to complete.

# DEPLOY_PW=$(security-cli-client --get-config-prop --prop-hierarchy nw.security-client --prop-name platform.deployment.password --quiet)

# mongoexport --authenticationDatabase=admin --host <Endpoint_Server_IP_or_Hostname> --username deploy_admin --password $DEPLOY_PW --db endpoint-server --collection machinedetail --query '{"machine.systemPatches":"MS_KB_HERE"}' --fields "machine.machineName" --type csv --noHeaderLine --quiet

This will print the machine names that have the "MS_KB_HERE” value.

To look for machines without a specific KB, modify your query to:

--query '{"machine.systemPatches": {$not: "MS_KB_HERE" }}'

To look for multiple KBs:

--query '{"machine.systemPatches": {$in: ["MS_KB_HERE1","MS_KB_HERE2","MS_KB_HERE3","MS_KB_HERE...N"] }}'

To look for machines without multiple KBs:

--query '{"machine.systemPatches": {$nin: ["MS_KB_HERE1","MS_KB_HERE2","MS_KB_HERE3","MS_KB_HERE...N"] }}'

Mr. Mongo

MichailPiskoun · ‎2019-06-28

Thanks Joshua, this actually isn't too bad. Hopefully we can see this functionality built into the UI in future releases but this gets the job done.

NetWitness Community

Patch Auditing With RSA Endpoint