This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Query to see user that launched an EXE and how many times

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Query to see user that launched an EXE and how many times

Go to solution
J.Suter
L2 Linker

‎05-14-2025 08:59 AM - edited ‎05-14-2025 09:42 AM

I've been trying so many different queries and cant seem to make one that shows me what users launched an EXE and when or how many times as a count.

As an example to make it easy:

Search for everyone that executed winword.exe and show me when they did it. 

Or search of everyone that executed winword.exe and count of times in X range

If anyone has a query and could share it that would be so helpful, I'm having a hard time getting my schema to work.

Thank you so much!
Cortex XDR 

Edit: I have this working, but I'm not stuck on how to make a count: the "winword.exe" will become $Application for my user base.

dataset = xdr_data
 | filter action_process_image_name = "winword.exe"
 | fields agent_hostname , actor_effective_username , action_process_image_name , action_process_image_path 
 | sort desc _time

Got it, leaving this here for anyone else that may need this information:

dataset = xdr_data
 | filter action_process_image_name = "winword.exe"
 | fields agent_hostname , actor_effective_username , action_process_image_name , action_process_image_path
 | comp count(actor_effective_username) as counter by actor_effective_username
 | sort desc Counter

 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
J.Suter
L2 Linker

‎05-27-2025 10:04 AM

Issue was solved in the initial post, found the proper schema to use to find all the data needed, see main comment: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-see-user-that-launched-an-exe-a...

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
mbasutkar
L0 Member

‎05-15-2025 08:12 AM

Hi,

You can use the below XQL query to search the file executions

 

config timeframe = 7d
|dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter actor_process_image_name = "chrome.exe"
| fields _time, agent_hostname, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_image_md5, actor_process_file_create_time, actor_process_execution_time, actor_process_signature_product, actor_process_file_internal_name
| sort desc _time

 

Please accept this solution if this resolves your query.

 

Regards,

Manjunath Basutkar

0 Likes Likes

Go to solution
J.Suter
L2 Linker

‎05-27-2025 10:04 AM

Issue was solved in the initial post, found the proper schema to use to find all the data needed, see main comment: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/query-to-see-user-that-launched-an-exe-a...

0 Likes Likes
  • 1 accepted solution
  • 548 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks