https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/request-for-query-to-retrieve-endpoint-security-details/m-p/1247652#M9104 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Prashanta_0-1770435336168.png" style="width: 279px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/70600i3524F4798FD78A65/image-dimensions/279x48?v=v2" width="279" height="48" role="button" title="Prashanta_0-1770435336168.png" alt="Prashanta_0-1770435336168.png" /></span></P> <P>&nbsp;</P> <P>Thank You for reply.&nbsp;</P> <P>Showing<BR />e.os, e.agent is not a valid value.&nbsp;</P> Sat, 07 Feb 2026 03:37:29 GMT Prashanta 2026-02-07T03:37:29Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/request-for-query-to-retrieve-endpoint-security-details/m-p/1247164#M9086 <P data-start="171" data-end="181">Hi Team,</P> <P data-start="183" data-end="283">I would like to create a query that provides the following information for endpoint security events:</P> <UL data-start="285" data-end="489"> <LI data-start="285" data-end="297"> <P data-start="287" data-end="297">Severity</P> </LI> <LI data-start="298" data-end="368"> <P data-start="300" data-end="368">Artifact type (e.g., executable files or other relevant artifacts)</P> </LI> <LI data-start="369" data-end="386"> <P data-start="371" data-end="386">Endpoint name</P> </LI> <LI data-start="387" data-end="401"> <P data-start="389" data-end="401">IP address</P> </LI> <LI data-start="402" data-end="424"> <P data-start="404" data-end="424">Windows OS version</P> </LI> <LI data-start="425" data-end="464"> <P data-start="427" data-end="464">Action taken (e.g., Block or Alert)</P> </LI> <LI data-start="465" data-end="489"> <P data-start="467" data-end="489">Cortex Agent version<BR /><BR />Timeframe:&nbsp; I will be set manually&nbsp;<BR /><BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> </LI> </UL> <P data-start="491" data-end="591">Please let me know the best way to construct this query or if any additional details are required.</P> Mon, 02 Feb 2026 06:00:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/request-for-query-to-retrieve-endpoint-security-details/m-p/1247164#M9086 Prashanta 2026-02-02T06:00:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/request-for-query-to-retrieve-endpoint-security-details/m-p/1247201#M9088 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/593283889">@Prashanta</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>To create a query that retrieves security events along with endpoint metadata, you can use the <STRONG>alerts</STRONG> dataset as the primary source. Since details such as the full Windows OS version and Cortex Agent version are most accurately maintained in the <STRONG>endpoints</STRONG> dataset, a <STRONG>left join</STRONG> is recommended to combine these two datasets.</P> <H5>XQL Query</H5> <PRE><CODE class="language-xql">dataset = alerts | join type = left (dataset = endpoints) as e e.endpoint_name = host_name | fields severity, category as artifact_type, host_name as endpoint_name, host_ip as ip_address, e.os_version as windows_os_version, action as action_taken, e.agent_version as cortex_agent_version </CODE></PRE> <H5>Field Explanations</H5> <UL> <LI> <P><STRONG>Severity</STRONG>: Retrieved directly from the alerts dataset.</P> </LI> <LI> <P><STRONG>Artifact Type</STRONG>: The <CODE>category</CODE> field identifies the type of security issue, such as Malware, Exploit, or Behavioral Threat.</P> </LI> <LI> <P><STRONG>Action Taken</STRONG>: Displays the outcome of the event, for example <CODE>ENUM.PREVENTED__BLOCKED_</CODE> or <CODE>Alert</CODE>.</P> </LI> <LI> <P><STRONG>Windows OS Version &amp; Agent Version</STRONG>: Retrieved from the endpoints dataset through the join to ensure the most up-to-date inventory information for the endpoint.</P> </LI> </UL> <H5>How to Use</H5> <OL> <LI> <P>Navigate to <STRONG>Investigation &gt; Query Builder</STRONG>.</P> </LI> <LI> <P>Switch to the <STRONG>XQL</STRONG> tab.</P> </LI> <LI> <P>Paste the query into the editor.</P> </LI> <LI> <P>Set the desired <STRONG>Time Range</STRONG> using the manual selector.</P> </LI> <LI> <P>Click <STRONG>Run</STRONG>.</P> </LI> </OL> <P><STRONG>Note:</STRONG> If you need to view the specific executable file associated with an alert, you can add <CODE>action_file_name</CODE> to the <CODE>fields</CODE> list in the query.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Mon, 02 Feb 2026 13:40:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/request-for-query-to-retrieve-endpoint-security-details/m-p/1247201#M9088 susekar 2026-02-02T13:40:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/request-for-query-to-retrieve-endpoint-security-details/m-p/1247652#M9104 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Prashanta_0-1770435336168.png" style="width: 279px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/70600i3524F4798FD78A65/image-dimensions/279x48?v=v2" width="279" height="48" role="button" title="Prashanta_0-1770435336168.png" alt="Prashanta_0-1770435336168.png" /></span></P> <P>&nbsp;</P> <P>Thank You for reply.&nbsp;</P> <P>Showing<BR />e.os, e.agent is not a valid value.&nbsp;</P> Sat, 07 Feb 2026 03:37:29 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/request-for-query-to-retrieve-endpoint-security-details/m-p/1247652#M9104 Prashanta 2026-02-07T03:37:29Z