https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-xql-query-to-report-deleted-files/m-p/548382#M4704 <P>Dear&nbsp;<A id="link_29" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190764" target="_self" aria-label="View Profile of eluis"><SPAN class="">Eluis</SPAN></A>,</P> <P>One more question - please can we further filter the query by ext, for example "doc", "docx", "ppt". "pptx", etc etc?</P> <P>Thank you very much</P> Thu, 06 Jul 2023 09:20:12 GMT chinsiongwong 2023-07-06T09:20:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-xql-query-to-report-deleted-files/m-p/548170#M4692 <P>Dear Sir,</P> <P>Please if anyone can help to advise the XQL query to create a custom report to capture the "File Delete" activities in one particular server?</P> <P>I know we can create the same from Query Builder, but from Query Builder it will only return 10,000 records. In addition, we not able to email the result as attachment (or if i am wrong with this understanding?).</P> <P>Any help and advise is very appreciated.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 05 Jul 2023 01:02:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-xql-query-to-report-deleted-files/m-p/548170#M4692 chinsiongwong 2023-07-05T01:02:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-xql-query-to-report-deleted-files/m-p/548231#M4694 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/197591">@chinsiongwong</a>&nbsp;</P> <P>thanks for writing us in LiveCommunity.&nbsp;</P> <P>Please try the following XQL query</P> <P>&nbsp;</P> <LI-CODE lang="markup">dataset =xdr_data | filter event_type = ENUM.FILE and event_sub_type = FILE_REMOVE and agent_hostname_here = "your_server_hostname " | fields agent_hostname, agent_version, action_file_path , event_sub_type, event_type | dedup action_file_path | limit 1000 </LI-CODE> <P>. Please notice that: You can use this query and save it as a widget and save the results as csv file which can be exported in from of reports&nbsp;</P> <P>The limit = 1000 will limit your results. If results are bigger than 20MB you wont be able to export them.</P> <P>Replace your_server_hostname by the name of your server you want to monitor</P> <P>&nbsp;</P> <P>Please granularity your reports as much as you can/want</P> <P>&nbsp;</P> <P>I hope this helps. Mark this as a solution if it helps</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis&nbsp;</P> <P>&nbsp;</P> Wed, 05 Jul 2023 11:11:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-xql-query-to-report-deleted-files/m-p/548231#M4694 eluis 2023-07-05T11:11:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-xql-query-to-report-deleted-files/m-p/548382#M4704 <P>Dear&nbsp;<A id="link_29" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190764" target="_self" aria-label="View Profile of eluis"><SPAN class="">Eluis</SPAN></A>,</P> <P>One more question - please can we further filter the query by ext, for example "doc", "docx", "ppt". "pptx", etc etc?</P> <P>Thank you very much</P> Thu, 06 Jul 2023 09:20:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-xql-query-to-report-deleted-files/m-p/548382#M4704 chinsiongwong 2023-07-06T09:20:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-xql-query-to-report-deleted-files/m-p/548501#M4713 <P>Please ignore this. Got it works.</P> <P>&nbsp;</P> <P>Thank you very much.</P> Fri, 07 Jul 2023 07:01:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/need-help-with-xql-query-to-report-deleted-files/m-p/548501#M4713 chinsiongwong 2023-07-07T07:01:08Z