https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/unable-to-retrive-downloaded-exe-s/m-p/1085650#M7740 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/303784">@Malayamarutham</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN>Thanks for reaching out on LiveCommunity!</SPAN></P> <P>&nbsp;</P> <P><SPAN>You can try below query as a sample and modify it as per your requirement:</SPAN></P> <P><SPAN>dataset = xdr_data <BR />| filter event_type = File and event_sub_type in (ENUM.FILE_CREATE_NEW , ENUM.FILE_WRITE, ENUM.FILE_RENAME ) and (action_file_path contains """\\Downloads\\""" or action_file_path contains "/Downloads/") <BR />| fields actor_process_image_name, agent_hostname, actor_effective_username, event_type, event_sub_type, action_file_name, action_file_path, action_file_extension, action_file_sha256</SPAN></P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".</SPAN></P> <P>&nbsp;</P> <P><SPAN> Thank you.</SPAN></P> Wed, 15 Jan 2025 17:09:30 GMT aspatil 2025-01-15T17:09:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/unable-to-retrive-downloaded-exe-s/m-p/1066745#M7723 <P>Hello everyone,</P> <P>&nbsp;</P> <P>I was trying to check all the downloaded exe's via firewall on all the endpoints in past 24hrs. I tried retrieving all downloaded exe's in downloads folder with the help of this query below.&nbsp;</P> <P>dataset = xdr_data <BR />| filter event_type = ENUM.FILE <BR />| filter action_file_path contains "Downloads" and action_file_path contains "C:\Users\"</P> <P>&nbsp;</P> <P>Can anyone help me with this.</P> <P>Thank you&nbsp;</P> Tue, 14 Jan 2025 20:33:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/unable-to-retrive-downloaded-exe-s/m-p/1066745#M7723 Malayamarutham 2025-01-14T20:33:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/unable-to-retrive-downloaded-exe-s/m-p/1085650#M7740 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/303784">@Malayamarutham</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN>Thanks for reaching out on LiveCommunity!</SPAN></P> <P>&nbsp;</P> <P><SPAN>You can try below query as a sample and modify it as per your requirement:</SPAN></P> <P><SPAN>dataset = xdr_data <BR />| filter event_type = File and event_sub_type in (ENUM.FILE_CREATE_NEW , ENUM.FILE_WRITE, ENUM.FILE_RENAME ) and (action_file_path contains """\\Downloads\\""" or action_file_path contains "/Downloads/") <BR />| fields actor_process_image_name, agent_hostname, actor_effective_username, event_type, event_sub_type, action_file_name, action_file_path, action_file_extension, action_file_sha256</SPAN></P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".</SPAN></P> <P>&nbsp;</P> <P><SPAN> Thank you.</SPAN></P> Wed, 15 Jan 2025 17:09:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/unable-to-retrive-downloaded-exe-s/m-p/1085650#M7740 aspatil 2025-01-15T17:09:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/unable-to-retrive-downloaded-exe-s/m-p/1085866#M7747 <P>Thank a ton for that. That really helped in retrieving the all EXE files downloaded via internet, likely through firewall and filtered or monitored by Zscaler. So, do I need to join paloalto traffic raw dataset to it? It's a little confusing.</P> <P><SPAN>dataset = xdr_data</SPAN><BR /><SPAN>| filter event_type = File and event_sub_type in (ENUM.FILE_CREATE_NEW , ENUM.FILE_WRITE, ENUM.FILE_RENAME ) and (action_file_path contains """\\Downloads\\""" or action_file_path contains "/Downloads/")</SPAN><BR /><SPAN>| fields actor_process_image_name, agent_hostname, actor_effective_username, event_type, event_sub_type, action_file_name, action_file_path, action_file_extension, action_file_sha256</SPAN></P> <P><SPAN>| join (</SPAN></P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;dataset= panw_ngfw_traffic_raw</P> <P>| filter dest_port in (80,443) // Focus on web traffic (HTTP/HTTPS)</P> <P>| filter ap[p in ("web-browsing", "ssl") // Application types for internet downloads</P> <P>) on action_networks_session_id = session_id</P> <P>&nbsp;</P> <P>I tried this but doesn't work. Truly appreciate your help.</P> Wed, 15 Jan 2025 17:48:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/unable-to-retrive-downloaded-exe-s/m-p/1085866#M7747 Malayamarutham 2025-01-15T17:48:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/unable-to-retrive-downloaded-exe-s/m-p/1213504#M7828 <P>What exactly you are trying to achieve now? Can you please confirm?</P> Wed, 29 Jan 2025 09:21:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/unable-to-retrive-downloaded-exe-s/m-p/1213504#M7828 aspatil 2025-01-29T09:21:52Z