sophos_run_xdr_query
Execute ad-hoc XDR SQL queries against the Sophos data lake to investigate security events. Returns a run ID for polling status and results.
Instructions
Run an ad-hoc XDR (Extended Detection and Response) SQL query against the Sophos data lake. Returns a run ID to poll for status and results.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| query | Yes | The SQL query string to execute (15–50000 characters) | |
| to_date | No | End of the query time range. ISO 8601 timestamp or ISO 8601 duration. | |
| from_date | No | Start of the query time range. ISO 8601 timestamp (e.g. '2024-01-01T00:00:00.000Z') or ISO 8601 duration (e.g. 'P7D') | |
| tenant_id | Yes | The tenant ID to run the XDR query against | |
| variables | No | JSON array of variable objects to substitute into the query template. Each object must have: name (string), dataType (double|integer|text|dateTime|boolean), value (string), and optionally pivotType (deviceId|deviceName|sophosPid|ipAddress|username|sha256|filePath|registryKey|url). | |
| query_name | No | Human-readable name for this query run (default: 'AdHoc') | |
| endpoint_ids | No | Comma-separated list of endpoint UUIDs to scope the query. If omitted, the query runs against all eligible endpoints. |