01-08-2026 06:59 AM
I want to know how to perform an XQL query for Android devices, where I search by hash and it shows me all the devices that have that .apk with that hash, or I can search by name.
01-21-2026 07:23 AM
Hello @QuestionAb ,
Greetings for the day.
To perform an XQL query for Android devices to find a specific .apk by its hash or name, you can use several approaches depending on whether you are looking for historical activity (logs) or the current installation status (inventory).
To identify all devices where a specific file hash has been seen in historical activity, use the xdr_data dataset. This search relies on the telemetry reported when the Android agent scans apps or when activities like installations occur.
XQL Query Template (Historical Activity):
dataset = xdr_data
| filter os_type = ENUM.OS_ANDROID
| filter action_file_sha256 = "INSERT_HASH_HERE"
| fields _time, agent_hostname, action_file_name, action_file_sha256, action_file_path
Note: Ensure the hash is in SHA256 format, as this is the standard used for file identification in Cortex XDR.
If you do not have the hash, you can search for the filename. For historical logs, use the action_file_name field.
XQL Query Template (Historical Activity):
dataset = xdr_data
| filter os_type = ENUM.OS_ANDROID
| filter action_file_name contains "app_name"
| fields _time, agent_hostname, action_file_name, action_file_sha256If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New Year!!
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
