Hey @MBeauchamp2 ,
I have tried running a simpler XQL Query and I have succeeded in running in an getting results. Below I will attach both queries.
From What I can understand the difference between the two queries is that In the more complex one there are elements of regex for field value extraction. It appears that this may be the problem. I will attempt to run the automation with the Query as a static argument. I will update you if this works.
May thanks,
MR
Simple Query:
demisto.executeCommand("xdr-xql-generic-query", {"query":"dataset = xdr_data | filter event_type = ENUM.NETWORK | fields action_upload, action_remote_ip as remote_ip, action_external_hostname as remote_hostname, actor_process_image_name as process_name | comp sum(action_upload) as total_upload by process_name, remote_ip, remote_hostname | sort desc total_upload | limit 10","time_frame":"1 weeks ago", "query_name":"test20"})
Complex Query:
test2 = demisto.executeCommand("xdr-xql-generic-query", {"query":"dataset = xdr_data | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (7045, 4697) | alter Service_Name = arrayindex(regextract(action_evtlog_message, 'Service Name.*?(\w+)\\r\\n'),0), Service_cmd = arrayindex(regextract(action_evtlog_message,'Service File Name.*?(\w.*)\\r\\n'),0), Service_type = arrayindex(regextract(action_evtlog_message,'Service Type.*?(\w.*)\\r\\n'),0), Service_start_type = arrayindex(regextract(action_evtlog_message,'Service Start Type.*?(\w.*)\\r\\n'),0), Service_account = arrayindex(regextract(action_evtlog_message,'Service Account.*?(\w.*)'),0) | filter Service_cmd contains 'logonui.exe' | fields Service_Name, Service_cmd, Service_type, Service_start_type, Service_account, event_id","time_frame":"1 weeks ago", "query_name":"test20"})
... View more