https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/action-process-image-command-line-filter-issue/m-p/1231634#M8418 <P>Hi, I'm trying to build a query that would check for reg.exe launches. This is well and good, but the moment I add a filter action_process_image_command_line = "reg save" nothing appears, even though it was part of the initial result for reg.exe. When I checked the schema,&nbsp;action_process_image_command_line is a string, so I don't think my query was wrong. Is anyone else having the same issue?<BR /><BR /></P> <P>&nbsp;</P> <LI-CODE lang="markup">config case_sensitive = false | dataset = xdr_data | filter agent_hostname = "hostname" | filter event_type = ENUM.PROCESS and event_sub_type in (ENUM.PROCESS_START, ENUM.PROCESS_STOP) and action_process_image_name = "reg.exe*" | filter action_process_image_command_line = "reg save" | fields agent_hostname, actor_effective_username, action_process_image_command_line, action_process_image_name, actor_process_command_line, *command_line*</LI-CODE> <P>&nbsp;</P> <P>&nbsp;&nbsp;<BR />Unfiltered<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Unfiltered" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68021iE83690FF030EA1DF/image-size/large?v=v2&amp;px=999" role="button" title="unfiltered.jpg" alt="Unfiltered" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Unfiltered</span></span><BR /><BR />Filtered<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="filtered.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68023i804CFF14316DADBA/image-size/large?v=v2&amp;px=999" role="button" title="filtered.jpg" alt="filtered.jpg" /></span><BR /><BR /></P> Thu, 12 Jun 2025 16:10:04 GMT a2123k1 2025-06-12T16:10:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/action-process-image-command-line-filter-issue/m-p/1231634#M8418 <P>Hi, I'm trying to build a query that would check for reg.exe launches. This is well and good, but the moment I add a filter action_process_image_command_line = "reg save" nothing appears, even though it was part of the initial result for reg.exe. When I checked the schema,&nbsp;action_process_image_command_line is a string, so I don't think my query was wrong. Is anyone else having the same issue?<BR /><BR /></P> <P>&nbsp;</P> <LI-CODE lang="markup">config case_sensitive = false | dataset = xdr_data | filter agent_hostname = "hostname" | filter event_type = ENUM.PROCESS and event_sub_type in (ENUM.PROCESS_START, ENUM.PROCESS_STOP) and action_process_image_name = "reg.exe*" | filter action_process_image_command_line = "reg save" | fields agent_hostname, actor_effective_username, action_process_image_command_line, action_process_image_name, actor_process_command_line, *command_line*</LI-CODE> <P>&nbsp;</P> <P>&nbsp;&nbsp;<BR />Unfiltered<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Unfiltered" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68021iE83690FF030EA1DF/image-size/large?v=v2&amp;px=999" role="button" title="unfiltered.jpg" alt="Unfiltered" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Unfiltered</span></span><BR /><BR />Filtered<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="filtered.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68023i804CFF14316DADBA/image-size/large?v=v2&amp;px=999" role="button" title="filtered.jpg" alt="filtered.jpg" /></span><BR /><BR /></P> Thu, 12 Jun 2025 16:10:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/action-process-image-command-line-filter-issue/m-p/1231634#M8418 a2123k1 2025-06-12T16:10:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/action-process-image-command-line-filter-issue/m-p/1231665#M8423 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/336272">@a2123k1</a>&nbsp;,</P> <P>&nbsp;</P> <P>Typically,&nbsp;<SPAN>action_process_image_command_line would include the full command,<FONT face="mingliu,biaukai"> i.e<EM><FONT color="#333300">&nbsp;"</FONT></EM></FONT></SPAN><FONT face="mingliu,biaukai"><EM><FONT color="#333300"><SPAN>reg save HKLM\\HARDWARE \"C:\\Program Files\...."</SPAN></FONT></EM></FONT></P> <P>&nbsp;</P> <P><FONT color="#000000"><SPAN>I would recommend shifting to contains instead</SPAN></FONT></P> <P>&nbsp;</P> <LI-CODE lang="markup">| filter action_process_image_command_line contains "reg save" </LI-CODE> <P>or leverage regex to ensure it starts with reg save</P> <LI-CODE lang="python">| filter action_process_image_command_line ~= "(^reg save(.*)$)" </LI-CODE> <P>&nbsp;</P> Thu, 12 Jun 2025 21:08:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/action-process-image-command-line-filter-issue/m-p/1231665#M8423 A.Elzedy 2025-06-12T21:08:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/action-process-image-command-line-filter-issue/m-p/1231722#M8431 <P>Thanks for the suggestion, those didn't work either.</P> Fri, 13 Jun 2025 12:52:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/action-process-image-command-line-filter-issue/m-p/1231722#M8431 a2123k1 2025-06-13T12:52:35Z