This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

CPU and Memory Usage

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CPU and Memory Usage

kadirerol
L1 Bithead

‎12-25-2025 09:50 PM

Hello everyone,

I’m looking for an XQL query that shows CPU and memory usage.
For example, I want to visualize something like: the XDR service consumes an average of X% memory and Y% CPU per hour, preferably as a graph.

Could you please help with this?

0 Likes Likes
1 REPLY 1

susekar
L4 Transporter

‎02-11-2026 06:11 AM

Hello @kadirerol ,

 

Greetings for the day.

 

To visualize CPU and memory usage for the Cortex XDR/XSIAM service, you must use the it_metrics dataset. This dataset is designed to collect performance data from endpoints.

 

Prerequisites:

Before querying this data, ensure that IT Metrics Collection is enabled in your Agent Settings profile:

  1. Navigate to Settings → Endpoints → Agent Settings.

  2. Edit the relevant profile.

  3. Enable the Collect IT Data option.

 

XQL Query for XDR Service Performance

The following query filters for common Cortex XDR process names (such as cyserver.exe, trapsd, and pmd), calculates hourly averages for CPU and memory usage, and prepares the data for a line graph.

In the it_metrics dataset:

  • CPU usage is reported as a percentage (%) per core.

  • Memory usage is reported in bytes.

dataset = it_metrics 
| filter os_actor_process_os_name in ("trapsd", "trapsd.exe", "cyserver.exe", "pmd", "cortex-xdr-payload.exe")
| bin _time span = 1h
| comp avg(cpu_avg) as avg_cpu_percent, 
       avg(memory_avg) as avg_memory_bytes 
       by _time, os_actor_process_os_name, agent_hostname
| alter avg_memory_mb = round(divide(avg_memory_bytes, 1048576), 2)
| view graph type = line xaxis = _time yaxis = avg_cpu_percent series = os_actor_process_os_name

 

Understanding the Results:

CPU Usage (cpu_avg)
Reported as a percentage per core. For example, a value of 10 on a 4-core system represents 10% of a single core’s capacity.

Memory Usage (memory_avg)
Reported in bytes. The query converts this value into megabytes (MB) by dividing by 1,048,576.

Visualization Adjustment
To switch between viewing CPU and memory on the graph, change the yaxis parameter in the view graph stage to either:

  • avg_cpu_percent, or

  • avg_memory_mb

 

Common XDR Process Names by OS:

Windows:

  • cyserver.exe

  • trapsd.exe

  • cortex-xdr-payload.exe

Linux:

  • trapsd

  • pmd

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

 

0 Likes Likes
  • 430 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks