Running XQL Query to XDR from an Automation Script : Receiving 500 Bad Synatax from valid query

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Running XQL Query to XDR from an Automation Script : Receiving 500 Bad Synatax from valid query

L3 Networker

Hello all, 

I am attempting to run an XQL query from an automation script. The query is valid and can be run manually and this works well both on XSOAR and on the Query Editor section on XDR. Essentially we refer to the query under a variable and then reference the variable under the execute command.... The error I receive is 500 - token recognition error at: '''\"} It appears that what is causing this is the Quote Marks around the query that are included in the command and this is likely the cause. Is there a way to safely run an XQL query in regards to best practice etc ?

Another question, I can use a saved query from the tenant and then to run it with my custom variables, is it possible to run a saved query with incident variables on an automation ?

Many thanks,

#XDR

#XSOAR

MR

PCSAE
1 accepted solution

Accepted Solutions

L3 Networker

Hello @MBeauchamp2 , 

I have recently placed the query in the the Automation Arguments and there is still the same problem that there is a bad character. We have decided to use the playbook instead. If you have a better solution please let me know. 

PCSAE

View solution in original post

3 REPLIES 3

L4 Transporter

If you run the query via the command line, can you copy the argument to the automation?  The result should escape the quotes for you. 


It should work the same when used in an automation, if you're hard coding the query then you need to escape the quotes.  

 

Alternatively add an argument to your automation and pass the query in that way, and you won't have to escape anything.  You can grab it as a variable and pass it to the executeCommand call. 

Hey @MBeauchamp2 ,

I have tried running a simpler XQL Query and I have succeeded in running in an getting results. Below I will attach both queries. 

From What I can understand the difference between the two queries is that In the more complex one there are elements of regex for field value extraction. It appears that this may be the problem. I will attempt to run the automation with the Query as a static argument. I will update you if this works. 

May thanks,

MR

 

Simple Query: 

 

 demisto.executeCommand("xdr-xql-generic-query", {"query":"dataset = xdr_data | filter event_type = ENUM.NETWORK | fields action_upload, action_remote_ip as remote_ip, action_external_hostname as remote_hostname, actor_process_image_name as process_name | comp sum(action_upload) as total_upload by process_name, remote_ip, remote_hostname | sort desc total_upload | limit 10","time_frame":"1 weeks ago", "query_name":"test20"})

 

Complex Query: 

 

test2 = demisto.executeCommand("xdr-xql-generic-query", {"query":"dataset = xdr_data | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (7045, 4697) | alter Service_Name = arrayindex(regextract(action_evtlog_message, 'Service Name.*?(\w+)\\r\\n'),0), Service_cmd = arrayindex(regextract(action_evtlog_message,'Service File Name.*?(\w.*)\\r\\n'),0), Service_type = arrayindex(regextract(action_evtlog_message,'Service Type.*?(\w.*)\\r\\n'),0), Service_start_type = arrayindex(regextract(action_evtlog_message,'Service Start Type.*?(\w.*)\\r\\n'),0), Service_account = arrayindex(regextract(action_evtlog_message,'Service Account.*?(\w.*)'),0) | filter Service_cmd contains 'logonui.exe' | fields Service_Name, Service_cmd, Service_type, Service_start_type, Service_account, event_id","time_frame":"1 weeks ago", "query_name":"test20"})

 

PCSAE

L3 Networker

Hello @MBeauchamp2 , 

I have recently placed the query in the the Automation Arguments and there is still the same problem that there is a bad character. We have decided to use the playbook instead. If you have a better solution please let me know. 

PCSAE
  • 1 accepted solution
  • 1799 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!