topic Re: XQL Query to look for a certain username on the domain on what devices they logged on to. in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-look-for-a-certain-username-on-the-domain-on-what/m-p/581380#M6395 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/280058">@Joe-Oberfoell</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>In the XQL Query Library you can find one pre-defined query called "All successful logins by a user" where you can set the username and it will search the xdr_data dataset for login events from that user.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_0-1711129475097.png" style="width: 650px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58562i4611DED56F501E96/image-dimensions/650x268/is-moderation-mode/true?v=v2" width="650" height="268" role="button" title="jmazzeo_0-1711129475097.png" alt="jmazzeo_0-1711129475097.png" /></span></P> <P>Try it and check how it goes, you can modify the query as you need to fulfill your needs.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> <P>&nbsp;</P> Fri, 22 Mar 2024 17:46:19 GMT jmazzeo 2024-03-22T17:46:19Z XQL Query to look for a certain username on the domain on what devices they logged on to. https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-look-for-a-certain-username-on-the-domain-on-what/m-p/581356#M6392 <P>I have other tools that I can scan our entire network looking, but its time consuming to setup and run. This need has come up before., when creds are being used suspiciously and we want to see where all they are logging on.</P> <P>I think running a XQL may be a time saver if I can figure it out.</P> Fri, 22 Mar 2024 14:35:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-look-for-a-certain-username-on-the-domain-on-what/m-p/581356#M6392 Joe-Oberfoell 2024-03-22T14:35:08Z Re: XQL Query to look for a certain username on the domain on what devices they logged on to. https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-look-for-a-certain-username-on-the-domain-on-what/m-p/581380#M6395 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/280058">@Joe-Oberfoell</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>In the XQL Query Library you can find one pre-defined query called "All successful logins by a user" where you can set the username and it will search the xdr_data dataset for login events from that user.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_0-1711129475097.png" style="width: 650px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/58562i4611DED56F501E96/image-dimensions/650x268/is-moderation-mode/true?v=v2" width="650" height="268" role="button" title="jmazzeo_0-1711129475097.png" alt="jmazzeo_0-1711129475097.png" /></span></P> <P>Try it and check how it goes, you can modify the query as you need to fulfill your needs.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> <P>&nbsp;</P> Fri, 22 Mar 2024 17:46:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-to-look-for-a-certain-username-on-the-domain-on-what/m-p/581380#M6395 jmazzeo 2024-03-22T17:46:19Z