topic Re: Running XQL Query to XDR from an Automation Script : Receiving 500 Bad Synatax from valid query in Cortex XSOAR Discussions

Running XQL Query to XDR from an Automation Script : Receiving 500 Bad Synatax from valid query

michaelsysec242 — Mon, 27 Feb 2023 16:12:46 GMT

Hello all,

I am attempting to run an XQL query from an automation script. The query is valid and can be run manually and this works well both on XSOAR and on the Query Editor section on XDR. Essentially we refer to the query under a variable and then reference the variable under the execute command.... The error I receive is 500 - token recognition error at: '''\"} It appears that what is causing this is the Quote Marks around the query that are included in the command and this is likely the cause. Is there a way to safely run an XQL query in regards to best practice etc ?

Another question, I can use a saved query from the tenant and then to run it with my custom variables, is it possible to run a saved query with incident variables on an automation ?

Many thanks,

#XDR

#XSOAR

Re: Running XQL Query to XDR from an Automation Script : Receiving 500 Bad Synatax from valid query

MBeauchamp2 — Tue, 28 Feb 2023 17:02:22 GMT

If you run the query via the command line, can you copy the argument to the automation? The result should escape the quotes for you.

It should work the same when used in an automation, if you're hard coding the query then you need to escape the quotes.

Alternatively add an argument to your automation and pass the query in that way, and you won't have to escape anything. You can grab it as a variable and pass it to the executeCommand call.

Re: Running XQL Query to XDR from an Automation Script : Receiving 500 Bad Synatax from valid query

michaelsysec242 — Thu, 02 Mar 2023 13:53:03 GMT

Hey @MBeauchamp2 ,

I have tried running a simpler XQL Query and I have succeeded in running in an getting results. Below I will attach both queries.

From What I can understand the difference between the two queries is that In the more complex one there are elements of regex for field value extraction. It appears that this may be the problem. I will attempt to run the automation with the Query as a static argument. I will update you if this works.

May thanks,

Simple Query:

demisto.executeCommand("xdr-xql-generic-query", {"query":"dataset = xdr_data | filter event_type = ENUM.NETWORK | fields action_upload, action_remote_ip as remote_ip, action_external_hostname as remote_hostname, actor_process_image_name as process_name | comp sum(action_upload) as total_upload by process_name, remote_ip, remote_hostname | sort desc total_upload | limit 10","time_frame":"1 weeks ago", "query_name":"test20"})

Complex Query:

test2 = demisto.executeCommand("xdr-xql-generic-query", {"query":"dataset = xdr_data | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (7045, 4697) | alter Service_Name = arrayindex(regextract(action_evtlog_message, 'Service Name.*?(\w+)\\r\\n'),0), Service_cmd = arrayindex(regextract(action_evtlog_message,'Service File Name.*?(\w.*)\\r\\n'),0), Service_type = arrayindex(regextract(action_evtlog_message,'Service Type.*?(\w.*)\\r\\n'),0), Service_start_type = arrayindex(regextract(action_evtlog_message,'Service Start Type.*?(\w.*)\\r\\n'),0), Service_account = arrayindex(regextract(action_evtlog_message,'Service Account.*?(\w.*)'),0) | filter Service_cmd contains 'logonui.exe' | fields Service_Name, Service_cmd, Service_type, Service_start_type, Service_account, event_id","time_frame":"1 weeks ago", "query_name":"test20"})

Re: Running XQL Query to XDR from an Automation Script : Receiving 500 Bad Synatax from valid query

michaelsysec242 — Sun, 05 Mar 2023 14:27:02 GMT

Hello @MBeauchamp2 ,

I have recently placed the query in the the Automation Arguments and there is still the same problem that there is a bad character. We have decided to use the playbook instead. If you have a better solution please let me know.