01-08-2026 06:53 AM
Does anyone know how to perform bulk queries in Cortex XDR for Android devices? I want it to show me all Android devices that contain a specific hash or that contain the same APK file.
Please, I'm open to suggestions.
01-13-2026 12:21 PM - edited 01-14-2026 11:49 AM
Hello @QuestionAb ,
Greetings for the day!
To perform a bulk search for multiple hashes or package names across the fleet using XQL, the recommended approach is to use the in operator within a filter stage. This allows for set-based lookups that are significantly more efficient than multiple individual queries or complex OR logic .
When searching for a list of SHA256 hashes in historical event data, use the xdr_data dataset and the action_file_sha256 field .
The following syntax is recommended for bulk hash lookups
dataset = xdr_data
| filter action_file_sha256 in (
"hash_value_1",
"hash_value_2",
"hash_value_3"
)
| fields _time, agent_hostname, action_file_sha256, action_file_name, action_file_path
| sort asc _time
For identifying specific software or package names across endpoints (including mobile/Android inventory), use the host_inventory_applications preset or the host_inventory dataset .
Based on the provided software inventory examples , use this syntax:
preset = host_inventory_applications
| filter application_name in ("package_name_1", "package_name_2")
| fields endpoint_name, application_name, raw_version, vendor
| sort asc endpoint_name
If specific Android package fields are required for the search , you may need to verify the exact field names in the schema tab of the XQL Search interface by entering dataset = * and inspecting the available fields .
in Operator: This is the canonical set operator for checking if a field's value matches any item in a provided list .xdr_data dataset supports up to 1,000,000 results , bulk file searches via the Action Center (UI-based "Search File" function) are typically limited to one hash at a time .filter as early as possible in the query to reduce the data volume and improve performance .config case_sensitive = false at the start of the query .
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New Year!!
Thanks & Regards,
S. Subashkar Sekar
01-13-2026 12:21 PM - edited 01-14-2026 11:49 AM
Hello @QuestionAb ,
Greetings for the day!
To perform a bulk search for multiple hashes or package names across the fleet using XQL, the recommended approach is to use the in operator within a filter stage. This allows for set-based lookups that are significantly more efficient than multiple individual queries or complex OR logic .
When searching for a list of SHA256 hashes in historical event data, use the xdr_data dataset and the action_file_sha256 field .
The following syntax is recommended for bulk hash lookups
dataset = xdr_data
| filter action_file_sha256 in (
"hash_value_1",
"hash_value_2",
"hash_value_3"
)
| fields _time, agent_hostname, action_file_sha256, action_file_name, action_file_path
| sort asc _time
For identifying specific software or package names across endpoints (including mobile/Android inventory), use the host_inventory_applications preset or the host_inventory dataset .
Based on the provided software inventory examples , use this syntax:
preset = host_inventory_applications
| filter application_name in ("package_name_1", "package_name_2")
| fields endpoint_name, application_name, raw_version, vendor
| sort asc endpoint_name
If specific Android package fields are required for the search , you may need to verify the exact field names in the schema tab of the XQL Search interface by entering dataset = * and inspecting the available fields .
in Operator: This is the canonical set operator for checking if a field's value matches any item in a provided list .xdr_data dataset supports up to 1,000,000 results , bulk file searches via the Action Center (UI-based "Search File" function) are typically limited to one hash at a time .filter as early as possible in the query to reduce the data volume and improve performance .config case_sensitive = false at the start of the query .
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New Year!!
Thanks & Regards,
S. Subashkar Sekar
01-14-2026 12:34 PM
Thank you so much my friend
It helps a lot
Happy new year as well
Best regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
