topic Get all parent processes of a given process with XQL in Cortex XDR Discussions

Get all parent processes of a given process with XQL

MaaHaa — Wed, 22 Apr 2026 17:25:10 GMT

I am trying to obtain a linear process tree for a specific process using XQL.

Example:
In the Causality Chain view, the process tree for Process X looks as follows:

explorer.exe → Process Z → Process Y → Process X

I want to write a query that returns exactly those three process events (excluding explorer.exe) that spawned the next process up until Process X.

I was able to create a query that lists all child processes of Process Z (i.e., the full CGO tree). However, I am only interested in the linear parent–child chain leading to Process X, and not in any other child processes that Process Z or Process Y may have spawned.

Re: Get all parent processes of a given process with XQL

ThisizAmen — Fri, 24 Apr 2026 08:30:07 GMT

Hello @MaaHaa,

Cortex XDR stores processes as a causality graph, so XQL returns all child processes by default, not just a single parent-child path.

As far as I know, XQL cannot automatically walk the chain step-by-step. You can only manually reconstruct it using instance IDs, for example:
filter action_process_instance_id in ("X_ID", "Y_ID", "Z_ID")

I hope this helps.

Re: Get all parent processes of a given process with XQL

MaaHaa — Mon, 27 Apr 2026 07:32:56 GMT

Hello @ThisizAmen

Thanks four your reply.
Unfortunately, I'm a complete Beginner in XQL. Could you provide an example for manually reconstructing the process chain? How could I retrieve the PID of e.g. process Y or process Z?
In the alert event, I only have the PID of the main process (x) and the CGO (which in this case is Z, but could also be a process higher up in the chain).

Re: Get all parent processes of a given process with XQL

ThisizAmen — Mon, 27 Apr 2026 13:20:59 GMT

Greetings @MaaHaa ,

There is no problem, you can get the PID via this query:

dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter action_process_instance_id = "X_ID"
| fields
action_process_image_name,
action_process_pid,
actor_process_image_name,
actor_process_pid,
actor_process_instance_id
 

CGO is the process responsible for the whole chain, not necessarily the immediate parent.

And also, You might think: I have X and Z, can I just find what’s between them? Basically, no via XQL. My knowledge is not as deep as the Palo Alto engineers themselves, so I suggest you reach out to them for this particular case.