This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Get all parent processes of a given process with XQL

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Get all parent processes of a given process with XQL

MaaHaa
L0 Member

‎04-22-2026 10:25 AM

I am trying to obtain a linear process tree for a specific process using XQL.

 

Example:
In the Causality Chain view, the process tree for Process X looks as follows:

explorer.exe → Process Z → Process Y → Process X

I want to write a query that returns exactly those three process events (excluding explorer.exe) that spawned the next process up until Process X.

 

I was able to create a query that lists all child processes of Process Z (i.e., the full CGO tree). However, I am only interested in the linear parent–child chain leading to Process X, and not in any other child processes that Process Z or Process Y may have spawned.

0 Likes Likes
3 REPLIES 3

ThisizAmen
L1 Bithead

‎04-24-2026 01:29 AM - edited ‎04-24-2026 01:30 AM

Hello @MaaHaa,

 

Cortex XDR stores processes as a causality graph, so XQL returns all child processes by default, not just a single parent-child path.

As far as I know, XQL cannot automatically walk the chain step-by-step. You can only manually reconstruct it using instance IDs, for example:
filter action_process_instance_id in ("X_ID", "Y_ID", "Z_ID")

I hope this helps.

Best Regards,
Amin Gurbanli,
SOC T2 Team Lead
0 Likes Likes

MaaHaa
L0 Member
In response to ThisizAmen

‎04-27-2026 12:32 AM

Hello @ThisizAmen 

 

Thanks four your reply.
Unfortunately, I'm a complete Beginner in XQL. Could you provide an example for manually reconstructing the process chain? How could I retrieve the PID of e.g. process Y or process Z?
In the alert event, I only have the PID of the main process (x) and the CGO (which in this case is Z, but could also be a process higher up in the chain).

0 Likes Likes

ThisizAmen
L1 Bithead
In response to MaaHaa

‎04-27-2026 06:20 AM

 

Greetings @MaaHaa ,

There is no problem, you can get the PID via this query:

 

 
dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter action_process_instance_id = "X_ID"
| fields
action_process_image_name,
action_process_pid,
actor_process_image_name,
actor_process_pid,
actor_process_instance_id
 
CGO is the process responsible for the whole chain, not necessarily the immediate parent.

And also, You might think: I have X and Z, can I just find what’s between them? Basically, no via XQL. My knowledge is not as deep as the Palo Alto engineers themselves, so I suggest you reach out to them for this particular case.

Best Regards,
Amin Gurbanli,
SOC T2 Team Lead
0 Likes Likes
  • 519 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks