The Ultimate XQL Cheat Sheet - 25+ Essential Queries for Cortex XDR
A comprehensive collection of XQL queries for threat hunting, investigation, and dashboard widgets.
Having a solid library of XQL queries is essential for any Palo Alto Cortex analyst. This cheat sheet provides 25+ queries divided into Dashboard Widget queries (optimized for visualization) and Investigation queries (optimized for threat hunting).
Part 1: Widget & Visualization Queries
These queries use comp to aggregate data, making them perfect for Pie charts, Bar charts, and dashboards.
1. Top 10 Users with Failed Logins (Bar Chart)
dataset = xdr_data
| filter event_type = "LOGIN" and outcome = "FAILURE"
| comp count(event_id) as failure_count by actor_effective_username
| sort desc failure_count
| limit 10
2. Incident Severity Distribution (Pie Chart)
dataset = incidents
| comp count(incident_id) as total by severity
3. Endpoint OS Distribution (Donut Chart)
dataset = endpoints
| comp count(endpoint_id) as total by os_type
4. Top 10 Malicious Domains Blocked (Table Widget)
dataset = pan_traffic_raw
| filter action = "deny" and category = "malware"
| comp count(event_id) as blocks by destination_hostname
| sort desc blocks
| limit 10
5. Network Traffic Volume by App (Area Chart)
dataset = pan_traffic_raw
| alter time_bucket = bin(_time, 1h)
| comp sum(bytes_sent + bytes_received) as total_bytes by time_bucket, app
6. Suspicious Powershell Executions over Time (Line Chart)
dataset = xdr_data
| filter actor_process_image_name == "powershell.exe"
| alter time_bucket = bin(_time, 1h)
| comp count(event_id) as executions by time_bucket
7. Top Attack Sources by Country (Map Widget)
dataset = pan_traffic_raw
| filter action = "deny"
| comp count(event_id) as attacks by source_country
8. Data Exfiltration Alert (Threshold Widget)
dataset = pan_traffic_raw
| comp sum(bytes_sent) as uploads by source_ip
| filter uploads > 1000000000 // 1GB Threshold
9. Agent Health Status (Summary Widget)
dataset = endpoints
| comp count(endpoint_id) as count by endpoint_status
10. Most Common Malware Signatures (Bar Chart)
dataset = xdr_data
| filter event_type = "MALWARE_DETECTED"
| comp count(event_id) as detections by threat_name
Part 2: Normal Search & Investigation Queries
These queries return detailed rows, useful for deep-dive forensic investigations.
11. Find All Executions from USB Drives
dataset = xdr_data
| filter actor_process_image_path contains ":\RECYCLER\" or actor_process_image_path contains "Removable"
12. Locate Specific File Hash across Network
dataset = xdr_data
| filter action_file_sha256 = "your_hash_here"
| fields _time, endpoint_name, actor_process_image_name, action_file_path
13. Trace RDP Connections to Internal IPs
dataset = pan_traffic_raw
| filter destination_port = 3389 and destination_ip_internal = true
| fields _time, source_ip, destination_ip, user
14. Identify "Living off the Land" Binaries (Lolbins)
dataset = xdr_data
| filter actor_process_image_name in ("certutil.exe", "bitsadmin.exe", "mshta.exe")
15. Detect Base64 Commands in PowerShell
dataset = xdr_data
| filter actor_process_image_name == "powershell.exe"
| filter actor_process_command_line contains "-enc" or actor_process_command_line contains "Base64"
16. Search for Newly Created Local Accounts
dataset = xdr_data
| filter event_type = "USER_MANAGEMENT" and action_type = "CREATE"
17. Monitor Modification of Sensitive Registry Keys
dataset = xdr_data
| filter event_type = "REGISTRY"
| filter action_registry_key_name contains "CurrentVersion\Run"
18. Find Suspicious Parent-Child Process Relationships (e.g. Word -> CMD)
dataset = xdr_data
| filter actor_process_image_name == "winword.exe" and action_process_image_name == "cmd.exe"
19. Identify Excessive DNS Queries (Potential Tunneling)
dataset = pan_traffic_raw
| filter destination_port = 53
| comp count(event_id) as dns_queries by source_ip, destination_hostname
| filter dns_queries > 500
20. List Processes listening on non-standard ports
dataset = xdr_data
| filter event_type = "NETWORK" and action_local_port not in (80, 443, 8080)
21. Detect LSASS Memory Dumping
dataset = xdr_data
| filter action_process_image_name == "lsass.exe" and action_type = "OPEN_PROCESS"
22. Find Files Downloaded via Browser then Executed
dataset = xdr_data
| filter actor_process_image_name in ("chrome.exe", "firefox.exe", "msedge.exe")
| filter action_type = "FILE_WRITE"
23. Investigate SSH Logins from External IPs
dataset = xdr_data
| filter event_type = "LOGIN" and auth_method = "ssh" and source_ip_internal = false
24. Audit Admin Activity in the Cloud Console
dataset = cloud_audit_logs
| filter user_role = "Admin" and action_type != "GET"
25. Spot Hidden Files/Directories being Accesses
dataset = xdr_data
| filter action_file_path contains "\." // Unix style hidden
| filter action_file_path contains "$RECYCLE.BIN" // Windows style
Conclusion
Whether you are building a NOC dashboard or hunting for an advanced persistent threat (APT), these queries provide a solid foundation. Remember to always test your queries on a small time range before scaling up to ensure performance!