topic Logs not visible - XQL Query in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/logs-not-visible-xql-query/m-p/525648#M3324 <P>Hello,</P> <P>&nbsp;</P> <P>Currently we are trying to create a query that gives us the result if the user has executed Sudo command and then right after executed the cd command. Is it possible to write a query that searches for commands executed one after the other?</P> <P>&nbsp;</P> <P>During this process we observed that cortex is not giving us logs for cd command in any of the systems. why is it so?</P> <P>&nbsp;</P> Tue, 03 Jan 2023 08:43:58 GMT Aiman_Fathima 2023-01-03T08:43:58Z Logs not visible - XQL Query https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/logs-not-visible-xql-query/m-p/525648#M3324 <P>Hello,</P> <P>&nbsp;</P> <P>Currently we are trying to create a query that gives us the result if the user has executed Sudo command and then right after executed the cd command. Is it possible to write a query that searches for commands executed one after the other?</P> <P>&nbsp;</P> <P>During this process we observed that cortex is not giving us logs for cd command in any of the systems. why is it so?</P> <P>&nbsp;</P> Tue, 03 Jan 2023 08:43:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/logs-not-visible-xql-query/m-p/525648#M3324 Aiman_Fathima 2023-01-03T08:43:58Z Re: Logs not visible - XQL Query https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/logs-not-visible-xql-query/m-p/525654#M3327 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/224150">@Aiman_Fathima</a>&nbsp;</P> <P>&nbsp;</P> <P>You can use below query. You should have enough telemetry data for this task, if you enabled XDR Pro on the endpoint.&nbsp;</P> <P>&nbsp;</P> <P>dataset = xdr_data <BR />| filter os_actor_process_image_path = "/usr/bin/sudo" and os_actor_process_command_line contains "cd"</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="etugriceri_0-1672739559480.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46594i2B97D7C3C897B3A1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="etugriceri_0-1672739559480.png" alt="etugriceri_0-1672739559480.png" /></span></P> <P>&nbsp;</P> Tue, 03 Jan 2023 09:52:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/logs-not-visible-xql-query/m-p/525654#M3327 etugriceri 2023-01-03T09:52:49Z