Android Cortex XDR

QuestionAb — Thu, 08 Jan 2026 14:59:24 GMT

I want to know how to perform an XQL query for Android devices, where I search by hash and it shows me all the devices that have that .apk with that hash, or I can search by name.

Re: Android Cortex XDR

susekar — Wed, 21 Jan 2026 15:23:01 GMT

Hello @QuestionAb ,

Greetings for the day.

To perform an XQL query for Android devices to find a specific .apk by its hash or name, you can use several approaches depending on whether you are looking for historical activity (logs) or the current installation status (inventory).

1. Searching by File Hash (SHA256)

To identify all devices where a specific file hash has been seen in historical activity, use the xdr_data dataset. This search relies on the telemetry reported when the Android agent scans apps or when activities like installations occur.

XQL Query Template (Historical Activity):

dataset = xdr_data
| filter os_type = ENUM.OS_ANDROID
| filter action_file_sha256 = "INSERT_HASH_HERE"
| fields _time, agent_hostname, action_file_name, action_file_sha256, action_file_path

Note: Ensure the hash is in SHA256 format, as this is the standard used for file identification in Cortex XDR.

2. Searching by File Name

If you do not have the hash, you can search for the filename. For historical logs, use the action_file_name field.

XQL Query Template (Historical Activity):

dataset = xdr_data
| filter os_type = ENUM.OS_ANDROID
| filter action_file_name contains "app_name" 
| fields _time, agent_hostname, action_file_name, action_file_sha256

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New Year!!

Thanks & Regards,
S. Subashkar Sekar

topic Android Cortex XDR in Cortex XDR Discussions

Android Cortex XDR

Re: Android Cortex XDR

1. Searching by File Hash (SHA256)

2. Searching by File Name