When using filter options in command line arguments along with --query, the operator is missing between the filter (base_query) and the specified query string. Any base query filters should use the 'AND' operator to combine these queries.
It is preferred to put the base query filters in their own parenthesis in case OR operators are used in a definition file or --query string. Without these parenthesis, an issue could occur when using OR operators other places in the query.
EXAMPLE FINISHED QUERY:
SiteId in contains ("site_id") AND (SrcProcName containsCIS "code.exe" or SrcProcName containsCIS "git.exe") AND (UserName containsCIS "username" AND EndpointName containsCIS "computer_name")
Output
Running Custom Query: SrcProcName containsCIS "explorer.exe"
Built Query: SrcProcName containsCIS "explorer.exe" UserName containscis "redacted-user"
Caught ValueError (see log for details): S1 could not parse query "SiteID in contains ("REDACTED", "REDACTED") AND (SrcProcName containsCIS "explorer.exe" UserName containscis "redacted-user")"
If possible it would be nice to not need to escape quotes in the query string, but I am not sure if this is a limitation with how variables are being stored.
When using filter options in command line arguments along with --query, the operator is missing between the filter (base_query) and the specified query string. Any base query filters should use the 'AND' operator to combine these queries.
It is preferred to put the base query filters in their own parenthesis in case OR operators are used in a definition file or --query string. Without these parenthesis, an issue could occur when using OR operators other places in the query.
EXAMPLE FINISHED QUERY: SiteId in contains ("site_id") AND (SrcProcName containsCIS "code.exe" or SrcProcName containsCIS "git.exe") AND (UserName containsCIS "username" AND EndpointName containsCIS "computer_name")
Command Line py .\surveyor.py --username 'redacted-user' --profile default --query 'SrcProcName containsCIS \"explorer.exe\"' s1 --creds \<cred-file>
py .\surveyor.py --username 'redacted-user' --hostname 'hostname' --profile default --deffile sysinternals.json s1 --creds \<cred-file>
Output Running Custom Query: SrcProcName containsCIS "explorer.exe" Built Query: SrcProcName containsCIS "explorer.exe" UserName containscis "redacted-user" Caught ValueError (see log for details): S1 could not parse query "SiteID in contains ("REDACTED", "REDACTED") AND (SrcProcName containsCIS "explorer.exe" UserName containscis "redacted-user")"
If possible it would be nice to not need to escape quotes in the query string, but I am not sure if this is a limitation with how variables are being stored.