https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-removes-endpoint-cves-and-all-information/m-p/1222986#M8052 <P>I want to remove all information related to the endpoint <STRONG>"ABC"</STRONG>. However, with the following xql query, it only removes cves that are exclusively associated with this endpoint. If a cves is associated with multiple endpoints, the <STRONG>affected_products, affected_hosts, and affected_hosts_count</STRONG> fields still display information related to <STRONG>"ABC"</STRONG>.</P><P>How should I modify the query so that no information about<STRONG>"ABC"</STRONG>&nbsp;appears in the cves, even if the cves affects multiple endpoints?</P><P>&nbsp;</P><P>MY xql QUERY:</P><P>dataset = va_cves<BR />| filter affected_hosts != "ABC"<BR />| filter severity &gt;=low<BR />| filter affected_hosts_count &gt;=1<BR />| fields name as CVE, severity , severity_score ,type as APPLICATION_OPERATINGSYSTEM,description ,affected_products, affected_hosts ,affected_hosts_count,publication_date<BR />|sort desc publication_date</P><P><BR /><BR /><BR /><BR /></P> Fri, 07 Mar 2025 00:05:55 GMT HCSammyChou 2025-03-07T00:05:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-removes-endpoint-cves-and-all-information/m-p/1222986#M8052 <P>I want to remove all information related to the endpoint <STRONG>"ABC"</STRONG>. However, with the following xql query, it only removes cves that are exclusively associated with this endpoint. If a cves is associated with multiple endpoints, the <STRONG>affected_products, affected_hosts, and affected_hosts_count</STRONG> fields still display information related to <STRONG>"ABC"</STRONG>.</P><P>How should I modify the query so that no information about<STRONG>"ABC"</STRONG>&nbsp;appears in the cves, even if the cves affects multiple endpoints?</P><P>&nbsp;</P><P>MY xql QUERY:</P><P>dataset = va_cves<BR />| filter affected_hosts != "ABC"<BR />| filter severity &gt;=low<BR />| filter affected_hosts_count &gt;=1<BR />| fields name as CVE, severity , severity_score ,type as APPLICATION_OPERATINGSYSTEM,description ,affected_products, affected_hosts ,affected_hosts_count,publication_date<BR />|sort desc publication_date</P><P><BR /><BR /><BR /><BR /></P> Fri, 07 Mar 2025 00:05:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-removes-endpoint-cves-and-all-information/m-p/1222986#M8052 HCSammyChou 2025-03-07T00:05:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-removes-endpoint-cves-and-all-information/m-p/1224020#M8070 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/304202">@HCSammyChou</a>&nbsp;,</P> <P>&nbsp;</P> <P>Below query should help!</P> <P>&nbsp;</P> <P>dataset = va_cves<BR />|arrayexpand affected_hosts <BR />|filter affected_hosts != "abc"<BR />| filter severity &gt;=low<BR />| filter affected_hosts_count &gt;=1<BR />| fields name as CVE, severity , severity_score ,type as APPLICATION_OPERATINGSYSTEM,description ,affected_products, affected_hosts ,affected_hosts_count,publication_date<BR />|sort desc publication_date</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking like and&nbsp; on "mark this as a Solution". Thank you.</SPAN></P> Mon, 17 Mar 2025 14:25:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-removes-endpoint-cves-and-all-information/m-p/1224020#M8070 aspatil 2025-03-17T14:25:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-removes-endpoint-cves-and-all-information/m-p/1224574#M8115 <DIV class="flex max-w-full flex-col flex-grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 whitespace-normal break-words text-start [.text-message+&amp;]:mt-5" dir="auto" data-message-author-role="assistant" data-message-id="460ffafd-cd07-40a9-a958-59408e4ef7b5" data-message-model-slug="gpt-4o"> <DIV class="flex w-full flex-col gap-1 empty:hidden first:pt-[3px]"> <DIV class="markdown prose w-full break-words dark:prose-invert light"> <P class="" data-start="0" data-end="141">This is not the answer I am looking for. In this way, the&nbsp;affected products of the endpoint&nbsp;<SPAN>&nbsp;</SPAN><SPAN>"abc"</SPAN>&nbsp; will still be displayed in<SPAN>&nbsp;</SPAN><STRONG data-start="119" data-end="140">affected_products</STRONG></P> </DIV> </DIV> </DIV> </DIV> <DIV class="mb-2 flex gap-3 -ml-2"> <DIV class="flex items-center justify-start rounded-xl p-1"> <DIV class="flex items-center">&nbsp;</DIV> </DIV> </DIV> Mon, 24 Mar 2025 12:10:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-removes-endpoint-cves-and-all-information/m-p/1224574#M8115 HCSammyChou 2025-03-24T12:10:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-removes-endpoint-cves-and-all-information/m-p/1224626#M8117 <P>Cannot understand your requirement. Your ask was&nbsp;<SPAN>I want to remove all information related to the endpoint&nbsp;</SPAN><STRONG>"ABC".&nbsp;</STRONG> I have provided you the sample query which excludes the host. The affected product can be applied to multiple hosts, hence it will be displayed. To understand more please open CS case.</P> Tue, 25 Mar 2025 06:28:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-removes-endpoint-cves-and-all-information/m-p/1224626#M8117 aspatil 2025-03-25T06:28:03Z