Request: XQL query for filename + optional hash logic (single stream)

N.B238890 — Wed, 04 Mar 2026 11:31:48 GMT

Hi all,
Could someone help me write an XQL query in Cortex XSIAM that:

Detects process executions and file create/modify touches matching these names:
svc.exe, pwrautomate.exe, mcs.bat, cleanup.bat, uri.bat, p.zip
Also matches this masquerade regex (case-insensitive):
^filters_update_.*_at_abdata\.com\.exe$
Treats hash IOCs as optional (include when present; always keep hash hits)
Merges process and file events into a single unified result
Optionally suppresses name-only hits under known benign directories
Optionally supports dedup and a brief counts/triage view

ATT&CK mapping: T1059, T1204.002, T1105, T1106, T1036.
Looking for syntax that’s fully compatible with XSIAM. Thanks!

Re: Request: XQL query for filename + optional hash logic (single stream)

susekar — Wed, 04 Mar 2026 15:00:53 GMT

Hello @N.B238890 ,

Greetings for the day.

To address your request, here is a comprehensive XQL query designed for Cortex XSIAM that unifies process and file telemetry while meeting your specific filtering, regex, and suppression requirements.

Unified Process and File Detection Query:

This query uses the xdr_data dataset and standard event enums to identify the specified activity.

// Set case-insensitive searching for the entire query
config case_sensitive = false 

| dataset = xdr_data

// Filter for Process Executions and File Create/Modify events
| filter (
 (event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START) or 
 (event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_WRITE, ENUM.FILE_RENAME))
)

// Filter for specific filenames and the masquerade regex
| filter (
 action_process_image_name in ("svc.exe", "pwrautomate.exe", "mcs.bat", "cleanup.bat", "uri.bat", "p.zip") or
 action_file_name in ("svc.exe", "pwrautomate.exe", "mcs.bat", "cleanup.bat", "uri.bat", "p.zip") or
 action_process_image_name ~= "^filters_update_.*_at_abdata\.com\.exe$" or
 action_file_name ~= "^filters_update_.*_at_abdata\.com\.exe$"
)

// Unify results into consistent fields for Process and File events
| alter 
 unified_name = coalesce(action_process_image_name, action_file_name),
 unified_path = coalesce(action_process_image_path, action_file_path),
 unified_hash = coalesce(action_process_image_sha256, action_file_sha256, action_process_image_md5, action_file_md5),
 mitre_attack = "T1059, T1204.002, T1105, T1106, T1036"

// OPTIONAL: Suppress hits in known benign directories ONLY IF no hash is present (always keep hash hits)
// | filter not (
// (unified_path contains "C:\Windows\System32\" or unified_path contains "C:\Program Files\") 
// and unified_hash = null
// )

// Select relevant fields for investigation
| fields _time, agent_hostname, event_type, event_sub_type, unified_name, unified_path, unified_hash, actor_process_image_name, actor_process_command_line, mitre_attack

// OPTIONAL: Dedup and Triage View (Counts per host/file/hash)
| comp count() as hit_count, latest(_time) as last_seen by agent_hostname, unified_name, unified_path, unified_hash, mitre_attack
| sort desc hit_count
 

Key Components of the Syntax:

Case Insensitivity
The config case_sensitive = false stage ensures that all string comparisons and regex matches are handled regardless of capitalization.

Event Filtering
The query targets:

PROCESS_START for executions
FILE_CREATE_NEW, FILE_WRITE, and FILE_RENAME for file activity

Regex Matching
The ~= operator is used for the masquerade regex pattern.

Unified Results
The coalesce() function merges disparate fields (such as action_process_image_name and action_file_name) into unified columns for easier investigation.

Hash Persistence Logic
The optional suppression block is structured to ignore events in common benign paths only if no hash is present. Any event containing a hash is preserved.

Triage View
The comp stage provides a summarized, deduplicated view with hit counts and the most recent timestamp, which is useful for high-level triage and scoping.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: Request: XQL query for filename + optional hash logic (single stream) in Cortex XDR Discussions

Request: XQL query for filename + optional hash logic (single stream)

Re: Request: XQL query for filename + optional hash logic (single stream)

Unified Process and File Detection Query:

Key Components of the Syntax: