topic Re: XQL query Host Inventory numerical values Services in Cortex XDR Discussions

XQL query Host Inventory numerical values Services

NathanBradley — Thu, 30 Jun 2022 17:56:06 GMT

When running xql queries against host inventory i have 2 questions

Is there documentation that states what each field means in the array

The example below " start mode" and "state" are numerical

It appears start mode3= "Service Manual Start" but i need a full list to show what number represents stopped, paused...etc

Once i know start mode3 = service manual start

How can i use xql to change the result to reflect the name instead of numerical value

{

"accept_pause": false,

"accept_stop": false,

"delayed": false,

"desktop_interact": false,

"display_name": "displayname",

"path_name": "path",

"service_name": "name",

"service_type": "SERVICE_WIN32_SHARE_PROCESS",

"start_mode": 3,

"start_user_name": "NT AUTHORITY\\LocalService",

"started": false,

"state": 1

Re: XQL query Host Inventory numerical values Services

SilviuMihailDascalu — Thu, 30 Jun 2022 18:55:18 GMT

Hi @NathanBradley ,

Thanks for reaching out to Live Community discussion board.

1. Unfortunately there isn't a description available. We are working continuously in providing more insights in the XQL value definitions. This information is coming directly from Microsoft and you can identify the meaning of each value behind here.

2. You should be able to leverage the alter function in order to obtain your desired results. More information is available here.

e.g

| alterstart_mode = replace(replace(replace(start_mode, "1", "Service Manual Start"),"2", "Service Manual Stop"), "3", "Service Automated")

Please let me know if you have any questions or concerns!

Thanks,

Silviu

Re: XQL query Host Inventory numerical values Services

NathanBradley — Fri, 01 Jul 2022 15:32:41 GMT

thanks that works for me these are the 2 lines added

| alter state = replace(replace(replace(replace(replace(replace(replace(state, "1", "Start_Pending"),"2", "Stop_Pending"), "3", "Running"), "4", "Continue_Pending"), "5", "Pause_Pending"), "6", "Paused"), "0", "Stopped")
| alter start_mode = replace(replace(replace(replace(replace(start_mode, "4", "Disabled"),"2", "Automatic"),"0", "Boot"),"1", "System,"),"3", "Manual")