01-09-2023 03:55 AM
Hi everybody,
could you please help me with following issue?
When I use XQL query to XDR dataset (!xdr-xql-generic-query) it returns correct data to the War room but before are this data moved to Context data it takes almost 5 minutes (No matter how many data has been returned from XDR. This interval is always the same).
It looks like some kind of timeout but I tried to change everything possible and it didn't change the behavior.
I need to have it in context data in near-realtime.
Thank you,
Jan
01-10-2023 03:55 PM
Complexity of XQL query and time range for the search could affect the time it would take to process and to display the result.
We might able to better help if you can provide what query you are trying to run and arguments you execute upon running the command in XSOAR. A video of executing the command might be helpful also.
You could also open a support ticket if you want us to look into it privately if query/video might contain sensitive information.
01-12-2023 04:53 AM
Hi @ysato,
thank you for the response. In this case, there was not a problem with return of query result, it didn't take long. What took long was transition of returned data into incident context data. Today we found that this behavior is related to only one account in MSSP deployment. I will try to find a root cause, but probably will have to open support ticket.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
