topic Re: xql query for process in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-for-process/m-p/1241053#M8839 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1602113155">@T.Nurmi</a>&nbsp;</P> <P>&nbsp;</P> <P>Im not sure what you mean here.&nbsp;</P> <P>&nbsp;</P> <P>Are you looking for parent/child process ?&nbsp;</P> <P>&nbsp;</P> <P>Two different independent processes ?&nbsp;</P> <P>&nbsp;</P> <P>As per your question if those processes happen, I can tell you that if you get data from a process in a query, this means that the logs are there so the process was present there&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".&nbsp;</P> <P>Thank you.</P> <P>Luis&nbsp;</P> Fri, 31 Oct 2025 10:05:55 GMT eluis 2025-10-31T10:05:55Z xql query for process https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-for-process/m-p/1240646#M8826 <P>Hi. i just try to do some basic threat hunting.&nbsp;</P> <P>dataset = xdr_data<BR />| filter action_process_image_name in ("a.exe", "b.exe")<BR />| fields agent_hostname, actor_effective_username, action_process_image_name, action_process_image_command_line , _time<BR />| sort desc _time</P> <P>&nbsp;</P> <P>so i try to identfied two different process is happening at same endpoints. how to do that . current query just collect all process and i just want fiter that if those process happen&gt; then i got event&gt; example Process chrome start some other process</P> Fri, 24 Oct 2025 09:59:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-for-process/m-p/1240646#M8826 T.Nurmi 2025-10-24T09:59:09Z Re: xql query for process https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-for-process/m-p/1241053#M8839 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1602113155">@T.Nurmi</a>&nbsp;</P> <P>&nbsp;</P> <P>Im not sure what you mean here.&nbsp;</P> <P>&nbsp;</P> <P>Are you looking for parent/child process ?&nbsp;</P> <P>&nbsp;</P> <P>Two different independent processes ?&nbsp;</P> <P>&nbsp;</P> <P>As per your question if those processes happen, I can tell you that if you get data from a process in a query, this means that the logs are there so the process was present there&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".&nbsp;</P> <P>Thank you.</P> <P>Luis&nbsp;</P> Fri, 31 Oct 2025 10:05:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-query-for-process/m-p/1241053#M8839 eluis 2025-10-31T10:05:55Z