Android Cortex XDR

QuestionAb — Thu, 08 Jan 2026 14:53:10 GMT

Does anyone know how to perform bulk queries in Cortex XDR for Android devices? I want it to show me all Android devices that contain a specific hash or that contain the same APK file.

Please, I'm open to suggestions.

Re: Android Cortex XDR

susekar — Wed, 14 Jan 2026 19:49:47 GMT

Hello @QuestionAb ,

Greetings for the day!

To perform a bulk search for multiple hashes or package names across the fleet using XQL, the recommended approach is to use the in operator within a filter stage. This allows for set-based lookups that are significantly more efficient than multiple individual queries or complex OR logic .

Recommended Syntax for Bulk Hash Search

When searching for a list of SHA256 hashes in historical event data, use the xdr_data dataset and the action_file_sha256 field .

The following syntax is recommended for bulk hash lookups

dataset = xdr_data
| filter action_file_sha256 in (
    "hash_value_1",
    "hash_value_2",
    "hash_value_3"
)
| fields _time, agent_hostname, action_file_sha256, action_file_name, action_file_path
| sort asc _time

Recommended Syntax for Bulk Package/Application Search

For identifying specific software or package names across endpoints (including mobile/Android inventory), use the host_inventory_applications preset or the host_inventory dataset .

Based on the provided software inventory examples , use this syntax:

preset = host_inventory_applications 
| filter application_name in ("package_name_1", "package_name_2")
| fields endpoint_name, application_name, raw_version, vendor
| sort asc endpoint_name

If specific Android package fields are required for the search , you may need to verify the exact field names in the schema tab of the XQL Search interface by entering dataset = * and inspecting the available fields .

Key Considerations for Bulk Queries

The in Operator: This is the canonical set operator for checking if a field's value matches any item in a provided list .
Dataset Performance: While the xdr_data dataset supports up to 1,000,000 results , bulk file searches via the Action Center (UI-based "Search File" function) are typically limited to one hash at a time .
Filtering Early: Best practices dictate using filter as early as possible in the query to reduce the data volume and improve performance .
Case Sensitivity: By default, XQL is case-sensitive for string comparisons unless specified otherwise using config case_sensitive = false at the start of the query .

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New Year!!

Thanks & Regards,
S. Subashkar Sekar

Re: Android Cortex XDR

QuestionAb — Wed, 14 Jan 2026 20:34:02 GMT

Thank you so much my friend

It helps a lot

Happy new year as well

Best regards

topic Re: Android Cortex XDR in Cortex XDR Discussions

Android Cortex XDR

Re: Android Cortex XDR

Recommended Syntax for Bulk Hash Search

Recommended Syntax for Bulk Package/Application Search

Key Considerations for Bulk Queries

Re: Android Cortex XDR