This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Request: XQL query for filename + optional hash logic (single stream)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Request: XQL query for filename + optional hash logic (single stream)

Go to solution
N.B238890
L1 Bithead

‎03-04-2026 03:31 AM

Hi all,
Could someone help me write an XQL query in Cortex XSIAM that:

  • Detects process executions and file create/modify touches matching these names:
    svc.exe, pwrautomate.exe, mcs.bat, cleanup.bat, uri.bat, p.zip
  • Also matches this masquerade regex (case-insensitive):
    ^filters_update_.*_at_abdata\.com\.exe$
  • Treats hash IOCs as optional (include when present; always keep hash hits)
  • Merges process and file events into a single unified result
  • Optionally suppresses name-only hits under known benign directories
  • Optionally supports dedup and a brief counts/triage view

ATT&CK mapping: T1059, T1204.002, T1105, T1106, T1036.
Looking for syntax that’s fully compatible with XSIAM. Thanks!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
susekar
L5 Sessionator

‎03-04-2026 07:00 AM

Hello @N.B238890 ,

 

Greetings for the day.

 

To address your request, here is a comprehensive XQL query designed for Cortex XSIAM that unifies process and file telemetry while meeting your specific filtering, regex, and suppression requirements.

Unified Process and File Detection Query:

This query uses the xdr_data dataset and standard event enums to identify the specified activity.

// Set case-insensitive searching for the entire query
config case_sensitive = false

| dataset = xdr_data

// Filter for Process Executions and File Create/Modify events
| filter (
(event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START) or
(event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_WRITE, ENUM.FILE_RENAME))
)

// Filter for specific filenames and the masquerade regex
| filter (
action_process_image_name in ("svc.exe", "pwrautomate.exe", "mcs.bat", "cleanup.bat", "uri.bat", "p.zip") or
action_file_name in ("svc.exe", "pwrautomate.exe", "mcs.bat", "cleanup.bat", "uri.bat", "p.zip") or
action_process_image_name ~= "^filters_update_.*_at_abdata\.com\.exe$" or
action_file_name ~= "^filters_update_.*_at_abdata\.com\.exe$"
)

// Unify results into consistent fields for Process and File events
| alter
unified_name = coalesce(action_process_image_name, action_file_name),
unified_path = coalesce(action_process_image_path, action_file_path),
unified_hash = coalesce(action_process_image_sha256, action_file_sha256, action_process_image_md5, action_file_md5),
mitre_attack = "T1059, T1204.002, T1105, T1106, T1036"

// OPTIONAL: Suppress hits in known benign directories ONLY IF no hash is present (always keep hash hits)
// | filter not (
// (unified_path contains "C:\Windows\System32\" or unified_path contains "C:\Program Files\")
// and unified_hash = null
// )

// Select relevant fields for investigation
| fields _time, agent_hostname, event_type, event_sub_type, unified_name, unified_path, unified_hash, actor_process_image_name, actor_process_command_line, mitre_attack

// OPTIONAL: Dedup and Triage View (Counts per host/file/hash)
| comp count() as hit_count, latest(_time) as last_seen by agent_hostname, unified_name, unified_path, unified_hash, mitre_attack
| sort desc hit_count
 

Key Components of the Syntax:

Case Insensitivity
The config case_sensitive = false stage ensures that all string comparisons and regex matches are handled regardless of capitalization.

Event Filtering
The query targets:

  • PROCESS_START for executions

  • FILE_CREATE_NEW, FILE_WRITE, and FILE_RENAME for file activity

Regex Matching
The ~= operator is used for the masquerade regex pattern.

 

Unified Results
The coalesce() function merges disparate fields (such as action_process_image_name and action_file_name) into unified columns for easier investigation.

 

Hash Persistence Logic
The optional suppression block is structured to ignore events in common benign paths only if no hash is present. Any event containing a hash is preserved.

 

Triage View
The comp stage provides a summarized, deduplicated view with hit counts and the most recent timestamp, which is useful for high-level triage and scoping.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

View solution in original post

1 REPLY 1

Go to solution
susekar
L5 Sessionator

‎03-04-2026 07:00 AM

Hello @N.B238890 ,

 

Greetings for the day.

 

To address your request, here is a comprehensive XQL query designed for Cortex XSIAM that unifies process and file telemetry while meeting your specific filtering, regex, and suppression requirements.

Unified Process and File Detection Query:

This query uses the xdr_data dataset and standard event enums to identify the specified activity.

// Set case-insensitive searching for the entire query
config case_sensitive = false

| dataset = xdr_data

// Filter for Process Executions and File Create/Modify events
| filter (
(event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START) or
(event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_CREATE_NEW, ENUM.FILE_WRITE, ENUM.FILE_RENAME))
)

// Filter for specific filenames and the masquerade regex
| filter (
action_process_image_name in ("svc.exe", "pwrautomate.exe", "mcs.bat", "cleanup.bat", "uri.bat", "p.zip") or
action_file_name in ("svc.exe", "pwrautomate.exe", "mcs.bat", "cleanup.bat", "uri.bat", "p.zip") or
action_process_image_name ~= "^filters_update_.*_at_abdata\.com\.exe$" or
action_file_name ~= "^filters_update_.*_at_abdata\.com\.exe$"
)

// Unify results into consistent fields for Process and File events
| alter
unified_name = coalesce(action_process_image_name, action_file_name),
unified_path = coalesce(action_process_image_path, action_file_path),
unified_hash = coalesce(action_process_image_sha256, action_file_sha256, action_process_image_md5, action_file_md5),
mitre_attack = "T1059, T1204.002, T1105, T1106, T1036"

// OPTIONAL: Suppress hits in known benign directories ONLY IF no hash is present (always keep hash hits)
// | filter not (
// (unified_path contains "C:\Windows\System32\" or unified_path contains "C:\Program Files\")
// and unified_hash = null
// )

// Select relevant fields for investigation
| fields _time, agent_hostname, event_type, event_sub_type, unified_name, unified_path, unified_hash, actor_process_image_name, actor_process_command_line, mitre_attack

// OPTIONAL: Dedup and Triage View (Counts per host/file/hash)
| comp count() as hit_count, latest(_time) as last_seen by agent_hostname, unified_name, unified_path, unified_hash, mitre_attack
| sort desc hit_count
 

Key Components of the Syntax:

Case Insensitivity
The config case_sensitive = false stage ensures that all string comparisons and regex matches are handled regardless of capitalization.

Event Filtering
The query targets:

  • PROCESS_START for executions

  • FILE_CREATE_NEW, FILE_WRITE, and FILE_RENAME for file activity

Regex Matching
The ~= operator is used for the masquerade regex pattern.

 

Unified Results
The coalesce() function merges disparate fields (such as action_process_image_name and action_file_name) into unified columns for easier investigation.

 

Hash Persistence Logic
The optional suppression block is structured to ignore events in common benign paths only if no hash is present. Any event containing a hash is preserved.

 

Triage View
The comp stage provides a summarized, deduplicated view with hit counts and the most recent timestamp, which is useful for high-level triage and scoping.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

  • 1 accepted solution
  • 1699 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks