01-06-2026 09:05 AM
Does anyone know how to perform bulk queries in Cortex XDR for Android devices? I want it to show me all Android devices that contain a specific hash or that contain the same APK file.
01-22-2026 08:20 AM
Hello @QuestionAb ,
Greetings for the day.
To perform bulk queries in Cortex XDR for Android devices to find specific hashes or APK files, you should use XQL Search (Query Builder) or the File Search feature, as the standard All Endpoints UI filter does not support bulk lookup via comma-separated lists or copy-pasted values.
The most efficient way to query multiple hashes or application names across your Android fleet is through Cortex Query Language (XQL). The Cortex XDR agent for Android automatically scans all installed apps, generates a hash for each, and reports this information to the console.
You can use the in operator to search for multiple values simultaneously:
dataset = host_inventory
| filter os_type = OS_ANDROID
| filter <to_review_by_yourself>application_hash in ("SHA256_HASH_1", "SHA256_HASH_2", "SHA256_HASH_3")
| fields endpoint_name, <to_review_by_yourself>application_name, <to_review_by_yourself>application_hash
Note:
The exact field names for Android application inventory in the host_inventory dataset (such as application_hash or application_package_name) should be verified in the XQL schema dictionary for your tenant.
You can search for specific files by their SHA256 hash across all endpoints using the File Search feature in the Action Center.
Location:
Navigate to Incident Response → Response → Action Center → + New Action → File Search
Capabilities:
This feature supports searching for hashes of file types analyzed by WildFire. Since APK files are a supported file type for WildFire analysis, they can be searched for by hash across all endpoints.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
01-22-2026 08:20 AM
Hello @QuestionAb ,
Greetings for the day.
To perform bulk queries in Cortex XDR for Android devices to find specific hashes or APK files, you should use XQL Search (Query Builder) or the File Search feature, as the standard All Endpoints UI filter does not support bulk lookup via comma-separated lists or copy-pasted values.
The most efficient way to query multiple hashes or application names across your Android fleet is through Cortex Query Language (XQL). The Cortex XDR agent for Android automatically scans all installed apps, generates a hash for each, and reports this information to the console.
You can use the in operator to search for multiple values simultaneously:
dataset = host_inventory
| filter os_type = OS_ANDROID
| filter <to_review_by_yourself>application_hash in ("SHA256_HASH_1", "SHA256_HASH_2", "SHA256_HASH_3")
| fields endpoint_name, <to_review_by_yourself>application_name, <to_review_by_yourself>application_hash
Note:
The exact field names for Android application inventory in the host_inventory dataset (such as application_hash or application_package_name) should be verified in the XQL schema dictionary for your tenant.
You can search for specific files by their SHA256 hash across all endpoints using the File Search feature in the Action Center.
Location:
Navigate to Incident Response → Response → Action Center → + New Action → File Search
Capabilities:
This feature supports searching for hashes of file types analyzed by WildFire. Since APK files are a supported file type for WildFire analysis, they can be searched for by hash across all endpoints.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
