https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510479#M2423 <P>Hi Bbamanroy,</P> <P><BR />Yeah.. this one I created myself. Take this for example</P> <P>=====</P> <P>config case_sensitive = false timeframe = 7d<BR />| preset = host_inventory_auto_runs <BR />| filter endpoint_name = $Hostname and cmd in ("*appdata*","c:\users*")<BR />=====<BR />I'm taking $Hostname as a parameter for the query.</P> <P>&nbsp;</P> <P>I have multiple saved queries in the library that requires a hostname to be passed and I wanted to be able to call them and probably use join/union to merge the results.</P> <P>&nbsp;</P> <P>Sure I can use both join/union in the query but I want to make them flexible like:</P> <P>I will use w, x, y, and z queries for a certain event&nbsp;</P> <P>w, x, and y for another</P> <P>and so on..</P> <P>&nbsp;</P> <P>Appreciate the response!</P> <P>&nbsp;</P> Mon, 01 Aug 2022 18:43:02 GMT JillianSagun 2022-08-01T18:43:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510345#M2410 <P>Hi Peeps,</P> <P>&nbsp;</P> <P>So XQL has this call function to fetch results from a saved query in the query library. Lets take this for example:</P> <P>&nbsp;</P> <P>call "All appdata executions for the past 30 days"</P> <P>&nbsp;</P> <P>Now, the problem is that my saved query is waiting for a parameter "$hostname". Anyone have any ideas how to pass that parameter through XQL?</P> <P>&nbsp;</P> <P>Or probably point me to a KB of some sorts.</P> <P>&nbsp;</P> <P>Thanks a lot,</P> <P>Jill</P> Fri, 29 Jul 2022 23:25:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510345#M2410 JillianSagun 2022-07-29T23:25:37Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510346#M2411 <P>Sorry<BR /><SPAN>XQL "call" functions from <STRONG>query</STRONG> library I mean</SPAN></P> Fri, 29 Jul 2022 23:26:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510346#M2411 JillianSagun 2022-07-29T23:26:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510385#M2414 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/198067">@JillianSagun</a>&nbsp;</P> <P>Go to Query library, and paste the XQL query in the thread here for us to replicate and advise accordingly. I believe this might not be created by Palo Alto Networks.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbarmanroy_0-1659332020885.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/42713i4329B92D5D3095B7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="bbarmanroy_0-1659332020885.png" alt="bbarmanroy_0-1659332020885.png" /></span></P> <P>&nbsp;</P> Mon, 01 Aug 2022 05:33:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510385#M2414 bbarmanroy 2022-08-01T05:33:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510479#M2423 <P>Hi Bbamanroy,</P> <P><BR />Yeah.. this one I created myself. Take this for example</P> <P>=====</P> <P>config case_sensitive = false timeframe = 7d<BR />| preset = host_inventory_auto_runs <BR />| filter endpoint_name = $Hostname and cmd in ("*appdata*","c:\users*")<BR />=====<BR />I'm taking $Hostname as a parameter for the query.</P> <P>&nbsp;</P> <P>I have multiple saved queries in the library that requires a hostname to be passed and I wanted to be able to call them and probably use join/union to merge the results.</P> <P>&nbsp;</P> <P>Sure I can use both join/union in the query but I want to make them flexible like:</P> <P>I will use w, x, y, and z queries for a certain event&nbsp;</P> <P>w, x, and y for another</P> <P>and so on..</P> <P>&nbsp;</P> <P>Appreciate the response!</P> <P>&nbsp;</P> Mon, 01 Aug 2022 18:43:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510479#M2423 JillianSagun 2022-08-01T18:43:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510509#M2425 <P>This works for me:<BR />call "Host Inventory Autorun" Hostname="Bisma"</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbarmanroy_0-1659406766161.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/42722iAF5585111C6E51AB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="bbarmanroy_0-1659406766161.png" alt="bbarmanroy_0-1659406766161.png" /></span></P> <P>&nbsp;</P> Tue, 02 Aug 2022 02:19:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510509#M2425 bbarmanroy 2022-08-02T02:19:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510577#M2428 <P>Weird.. I tried something similar but anyways thank you!</P> <P>&nbsp;</P> <P>Works for me too.</P> Tue, 02 Aug 2022 14:02:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-quot-call-quot-functions-from-scripts-library/m-p/510577#M2428 JillianSagun 2022-08-02T14:02:15Z