https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-for-multiple-hashes-on-cortex-xdr/m-p/544150#M4461 <P>Since this question is still open to discussion, I have the similar question... is it possible to build such a query to search across multiple hashes from external data files GitHub, etc.? MS example that kind of query search:<BR />| where SHA1 in (externaldata(hash:string)[URL])... thanks for any info. on that.</P> Wed, 31 May 2023 11:51:02 GMT VidRupnik 2023-05-31T11:51:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-for-multiple-hashes-on-cortex-xdr/m-p/535569#M3919 <P>Does anyone know a way to search for multiple hashes on Cortex XDR?</P> <P>file_search = existing_files does not allow any operators other than "=" for the sha values and you can't string multiple in a query.&nbsp;</P> <P>I feel like I'm missing something and there should be a way to do that that I'm not aware of.&nbsp;</P> <P>&nbsp;</P> <P>Any ideas?</P> Thu, 23 Mar 2023 14:57:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-for-multiple-hashes-on-cortex-xdr/m-p/535569#M3919 rufat87 2023-03-23T14:57:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-for-multiple-hashes-on-cortex-xdr/m-p/535586#M3921 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/209466">@rufat87</a>,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LIVEcommunity!</P> <P>&nbsp;</P> <P>It appears you're looking for a field you can use the "in" operator with.&nbsp; Use of the "in" operators looks like this<BR /><BR /></P> <LI-CODE lang="markup"> dataset = xdr_data | filter action_file_sha256 in ("4138198e8b807e106ad7c256bfe9bd4e9d9a2de3473367405bc3c299cc774294", "f491caeb1a1b561b0d87efcb17deb79e63eb993940a6d34346dea6504f7c9400") | fields _time, action_file_name </LI-CODE> <P><BR /><BR /></P> <P>Alternatively, you have the option of using the query builder and using a pipe ( | ) to separate multiple values in any field.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2023-03-23 at 11.46.04 AM.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48983i4086A80BE990F519/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2023-03-23 at 11.46.04 AM.png" alt="Screen Shot 2023-03-23 at 11.46.04 AM.png" /></span></P> <P>A display of the results is below (I used dummy hash values so there are no results, I wanted to draw your attention to the query itself).</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2023-03-23 at 11.47.08 AM.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48984i1B40DF973A6E2FFE/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2023-03-23 at 11.47.08 AM.png" alt="Screen Shot 2023-03-23 at 11.47.08 AM.png" /></span></P> <P> </P> <P>I hope this information helps.&nbsp; For future reference I'll provide you with a great <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Search-Queries" target="_self">XQL resource</A>.</P> <P>&nbsp;</P> <P>If you have any other questions or if I didn't answer your question fully please feel free to respond here.</P> <P>&nbsp;</P> <P>Have a great day!</P> Thu, 23 Mar 2023 16:49:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-for-multiple-hashes-on-cortex-xdr/m-p/535586#M3921 anlynch 2023-03-23T16:49:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-for-multiple-hashes-on-cortex-xdr/m-p/535588#M3922 <P>Thanks for responding, I was aware of such file search. I was hoping a search against files existing on the hosts via sha would also have an option of multiple value input. I guess you are saying that is not possible for&nbsp;<SPAN>file_search = existing_files&nbsp;xql query?</SPAN></P> Thu, 23 Mar 2023 17:01:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-for-multiple-hashes-on-cortex-xdr/m-p/535588#M3922 rufat87 2023-03-23T17:01:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-for-multiple-hashes-on-cortex-xdr/m-p/544150#M4461 <P>Since this question is still open to discussion, I have the similar question... is it possible to build such a query to search across multiple hashes from external data files GitHub, etc.? MS example that kind of query search:<BR />| where SHA1 in (externaldata(hash:string)[URL])... thanks for any info. on that.</P> Wed, 31 May 2023 11:51:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/searching-for-multiple-hashes-on-cortex-xdr/m-p/544150#M4461 VidRupnik 2023-05-31T11:51:02Z