https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-query-to-check-which-user-is-elevating-access-in/m-p/598637#M7218 <P>Hello Team ,&nbsp;</P> <P>&nbsp;</P> <P>I am trying to write a XQL query to check&nbsp;which user is elevating access in Linux.&nbsp;</P> <P>&nbsp;</P> <P>can someone please help to write this query ?</P> <P>&nbsp;</P> <P>Thanks in advance.<BR /><BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp; #XQL</P> Tue, 24 Sep 2024 11:47:55 GMT tejaspatil12 2024-09-24T11:47:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-query-to-check-which-user-is-elevating-access-in/m-p/598637#M7218 <P>Hello Team ,&nbsp;</P> <P>&nbsp;</P> <P>I am trying to write a XQL query to check&nbsp;which user is elevating access in Linux.&nbsp;</P> <P>&nbsp;</P> <P>can someone please help to write this query ?</P> <P>&nbsp;</P> <P>Thanks in advance.<BR /><BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp; #XQL</P> Tue, 24 Sep 2024 11:47:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-query-to-check-which-user-is-elevating-access-in/m-p/598637#M7218 tejaspatil12 2024-09-24T11:47:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-query-to-check-which-user-is-elevating-access-in/m-p/598671#M7219 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/326396">@tejaspatil12</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>This is a simple example that can help you with your inquiry:</P> <P>&nbsp;</P> <P>dataset = xdr_data <BR />| filter agent_hostname = "HostName" // If you need to filter one endpoint<BR />| filter actor_process_command_line contains "sudo"<BR />| fields agent_hostname, agent_ip_addresses, actor_process_command_line // Add fields as needed</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Tue, 24 Sep 2024 17:46:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-query-to-check-which-user-is-elevating-access-in/m-p/598671#M7219 jmazzeo 2024-09-24T17:46:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-query-to-check-which-user-is-elevating-access-in/m-p/598742#M7220 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>&nbsp; this is giving the list for all command lines.&nbsp;</P> <P>&nbsp;</P> <P>Can we add the field which user executed it ? so we can get the idea about which user elevated the access</P> Wed, 25 Sep 2024 10:38:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-query-to-check-which-user-is-elevating-access-in/m-p/598742#M7220 tejaspatil12 2024-09-25T10:38:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-query-to-check-which-user-is-elevating-access-in/m-p/598785#M7224 <P>You can add any fields you need, look at the "field" stage line in the query and keep adding all the required fields.</P> Wed, 25 Sep 2024 18:59:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-xql-query-to-check-which-user-is-elevating-access-in/m-p/598785#M7224 jmazzeo 2024-09-25T18:59:02Z