https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-list-of-processes-which-were-not-started-launched-in-the/m-p/553842#M4971 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/304482">@mavega</a>,</P> <P>&nbsp;</P> <P>this would help us in the part "malware flew under the radar". We also see the rare processes in the company and can investigate deeper, if we want.&nbsp;</P> <P>Thanks for your research!</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> Tue, 15 Aug 2023 20:40:24 GMT RFeyertag 2023-08-15T20:40:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-list-of-processes-which-were-not-started-launched-in-the/m-p/553695#M4963 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>I would like to have a list of processes which were not started/launched in the past XX days. I think it would be nice to know, which processes are brand new etc.</P> <P>&nbsp;</P> <P>Will this work with XQL and how?</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Mon, 14 Aug 2023 21:24:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-list-of-processes-which-were-not-started-launched-in-the/m-p/553695#M4963 RFeyertag 2023-08-14T21:24:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-list-of-processes-which-were-not-started-launched-in-the/m-p/553823#M4970 <P>Hi&nbsp;<A id="link_7" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671" target="_self" aria-label="View Profile of RFeyertag"><SPAN class="">RFeyertag</SPAN></A>,</P> <P>Thanks for reaching out to our live community.</P> <P>We are looking into your inquiry and doing some research to provide you with the best possible response.</P> <P>Could you please elaborate a bit more? What is the use case for your inquiry?</P> <P>Please provide as many details as possible as there might a better approach on gathering the information you are looking for.</P> Tue, 15 Aug 2023 18:56:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-list-of-processes-which-were-not-started-launched-in-the/m-p/553823#M4970 mavega 2023-08-15T18:56:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-list-of-processes-which-were-not-started-launched-in-the/m-p/553842#M4971 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/304482">@mavega</a>,</P> <P>&nbsp;</P> <P>this would help us in the part "malware flew under the radar". We also see the rare processes in the company and can investigate deeper, if we want.&nbsp;</P> <P>Thanks for your research!</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> Tue, 15 Aug 2023 20:40:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-list-of-processes-which-were-not-started-launched-in-the/m-p/553842#M4971 RFeyertag 2023-08-15T20:40:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-list-of-processes-which-were-not-started-launched-in-the/m-p/554031#M4980 <P>Hi&nbsp;<SPAN class="UserName lia-user-name lia-user-rank-L4-Transporter lia-component-message-view-widget-author-username"><A id="link_20" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671" target="_self" aria-label="View Profile of RFeyertag"><SPAN class="">RFeyertag,</SPAN></A></SPAN></P> <P><SPAN class="UserName lia-user-name lia-user-rank-L4-Transporter lia-component-message-view-widget-author-username"><SPAN class="">We are still looking into this one, not sure Cortex works that way, but if you have Host Insight add-on maybe you can try the below script, it might not provide the non running processes but it will show the state of them and you might be able to sort them out (script is for 30 days but you can change it):</SPAN></SPAN></P> <PRE class="c-mrkdwn__pre" data-stringify-type="pre">preset = host_inventory_services | alter More_Than_30D = if((timestamp_diff(current_time(),report_timestamp ,"day")&gt;=30) , "True", "False") | filter (More_Than_30D != """False""") | filter started = "false" | fields service_name ,report_timestamp , More_Than_30D , service_state , service_type , endpoint_name , started | dedup service_name </PRE> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 16 Aug 2023 18:42:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-list-of-processes-which-were-not-started-launched-in-the/m-p/554031#M4980 mavega 2023-08-16T18:42:56Z