Skip to content

Invoke SophosCentralXDRQueryRun

Jump to bottom
simon-r-watson edited this page May 10, 2023 · 2 revisions

external help file: SophosCentral-help.xml Module Name: SophosCentral online version: https://developer.sophos.com/docs/xdr-query-v1/1/routes/queries/runs/post schema: 2.0.0

Invoke-SophosCentralXDRQueryRun

SYNOPSIS

Run a query against the Sophos Data Lake.

SYNTAX

SavedQuery

Invoke-SophosCentralXDRQueryRun [-categoryId <String>] -queryId <String> [-From <Object>] [-To <Object>]
 [-ids <Array>] [-variables <Array>] [<CommonParameters>]

CustomBody

Invoke-SophosCentralXDRQueryRun -customBody <Hashtable> [<CommonParameters>]

CustomQuery

Invoke-SophosCentralXDRQueryRun -Query <String> [-From <Object>] [-To <Object>] [-queryName <String>]
 [-ids <Array>] [-variables <Array>] [<CommonParameters>]

DESCRIPTION

Run a query against the Sophos Data Lake.

The values in the example bodies below may not be correct (such as the variables sub hashtables), but the structure of the hashtable should be correct

EXAMPLES

EXAMPLE 1

$body = @{
    'adHocQuery' = @{
        'template' = 'select * from \"xdr_data\" limit 10'
        'name' = 'test search'
    }
    'from' = '2022-01-01T12:02:01.000Z'
    'to' = '2022-01-21T12:02:01.700Z'
}
$query = Invoke-SophosCentralXDRQueryRun -CustomBody $body

EXAMPLE 2

$body = @{
    'adHocQuery' = @{
        'template' = 'select * from \"xdr_data\" limit 10'
        'name' = 'test search'
    }
    'from' = '2022-01-01T12:02:01.000Z'
    'to' = '2022-01-21T12:02:01.700Z'
    'variables' = @{
            'name' = 'var1'
            'dataType' = 'text'
            'value' = 'asdfwsdfsdf'
            'pivotType' = 'deviceId'
        }, @{
            'name' = 'var2'
            'dataType' = 'double'
            'value' = 'asdfwsdfsdf'
            'pivotType' = 'sha256'
        }
    'matchEndpoints' = @{
        'filters' = @(
            @{
                'ids' = @(
                    '7076e453-662f-40b9-bac6-5589691bd6de',
                    '7edf66a6-325f-40a3-bcb6-3b63ecbcba74'
                )
            }
        )
    }
}
$query = Invoke-SophosCentralXDRQueryRun -CustomBody $body

EXAMPLE 3

$query = Invoke-SophosCentralXDRQueryRun -Query "SELECT name, meta_hostname FROM xdr_data WHERE query_name = 'windows_startup_items'  AND name = 'someSVC'" -From (Get-Date).AddDays(-7) -to get-date

EXAMPLE 4

$query = Invoke-SophosCentralXDRQueryRun -Query "SELECT name, meta_hostname FROM xdr_data WHERE query_name = 'windows_startup_items'  AND name = 'imDmsSvc'" -From (Get-Date).AddDays(-7) -to get-date

PARAMETERS

-categoryId

Query category ID.

Type: String
Parameter Sets: SavedQuery
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-queryId

{{ Fill queryId Description }}

Type: String
Parameter Sets: SavedQuery
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-customBody

The query to run as a hashtable, see this for query options - https://developer.sophos.com/docs/xdr-query-v1/1/routes/queries/runs/post

Type: Hashtable
Parameter Sets: CustomBody
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Query

{{ Fill Query Description }}

Type: String
Parameter Sets: CustomQuery
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-From

Start of time range that is applied when running the query (inclusive). It can be in ISO duration format, full UTC timestamp or date only.

Type: Object
Parameter Sets: SavedQuery, CustomQuery
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-To

End of time range that is applied when running the query (inclusive). It can be in ISO duration format, full UTC timestamp or date only.

Type: Object
Parameter Sets: SavedQuery, CustomQuery
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-queryName

{{ Fill queryName Description }}

Type: String
Parameter Sets: CustomQuery
Aliases:

Required: False
Position: Named
Default value: AdHoc
Accept pipeline input: False
Accept wildcard characters: False

-ids

array Find endpoints with the specified IDs. Must contain from 1 to 1000 items. If not specfied then all endpoints are queried

Type: Array
Parameter Sets: SavedQuery, CustomQuery
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-variables

Values of variables to be replaced in the template SQL. Array of hashes each containg the following keys: name Variable name dataType Data types supported for EDR Data Lake queries. The following values are allowed: double, integer, text, dateTime, boolean value String value of the variable. pivotType The meaning of an input parameter of a query. The following values are allowed: deviceId, deviceName, sophosPid, ipAddress, username, sha256, filePath, registryKey, url

Type: Array
Parameter Sets: SavedQuery, CustomQuery
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

RELATED LINKS

https://developer.sophos.com/docs/xdr-query-v1/1/routes/queries/runs/post

Clone this wiki locally