fix a bug in Cortex XDR - XQL Query Engine - replace 'tenant_ids' wit…

…h 'tenent_id' (demisto#27661)

* fix and test

* docker

* RN

* CR

Packs/CortexXDR/Integrations/XQLQueryingEngine/XQLQueryingEngine.py

@@ -351,7 +351,8 @@ def start_xql_query(client: Client, args: Dict[str, Any]) -> str:
     time_frame = args.get('time_frame')
     if time_frame:
         data['request_data']['timeframe'] = convert_timeframe_string_to_json(time_frame)
-    tenant_ids = argToList(args.get('tenant_ids'))
+    # The arg is called 'tenant_id', but to avoid BC we will also support 'tenant_ids'.
+    tenant_ids = argToList(args.get('tenant_id') or args.get('tenant_ids'))
     if tenant_ids:
         data['request_data']['tenants'] = tenant_ids
     # call the client function and get the raw response

Packs/CortexXDR/Integrations/XQLQueryingEngine/XQLQueryingEngine.yml

@@ -1889,7 +1889,7 @@ script:
     - contextPath: PaloAltoNetworksXQL.ProcessCausalityNetworkActivity.results._product
       description: The result product.
       type: String
-  dockerimage: demisto/python3:3.10.11.54132
+  dockerimage: demisto/python3:3.10.12.63474
   feed: false
   isfetch: false
   longRunning: false

Packs/CortexXDR/Integrations/XQLQueryingEngine/XQLQueryingEngine_test.py

@@ -422,6 +422,38 @@ def test_start_xql_query_valid(mocker):
     assert response == 'execution_id'
 
 
+@pytest.mark.parametrize('tenant_id,expected', [
+    ({'tenant_id': 'test_tenant_1'}, 'test_tenant_1'),
+    ({'tenant_ids': 'test_tenants_2'}, 'test_tenants_2'),
+    ({'tenant_id': 'test_tenant_3', 'tenant_ids': 'test_tenants_4'}, 'test_tenant_3')])
+def test_start_xql_query_with_tenant_id_and_tenant_ids(mocker, tenant_id, expected):
+    """
+    This test is to ensure a fix of a bug will not be removed in the future.
+    The bug was that the arg name is 'tenant_id', but the code was 'args.get('tenant_ids')'
+    in order to fix that without BC in case someone is using it with the wrong arg name, we added support for both.
+    Given:
+    - A valid query to search.
+    1. 'tenant_id' is the name of the key given in the args.
+    2. 'tenant_ids' is the name of the key given in the args.
+    3.both 'tenant_id' and 'tenant_ids' are given in the args.
+
+    When:
+    - Calling start_xql_query function.
+
+    Then:
+    - Ensure the call to start_xql_query is sent with the correct tenant_id.
+    """
+    args = {
+        'query': 'test_query',
+        'time_frame': '1 year',
+    }
+    args |= tenant_id
+
+    res = mocker.patch.object(CLIENT, 'start_xql_query', return_value='execution_id')
+    XQLQueryingEngine.start_xql_query(CLIENT, args=args)
+    assert res.call_args[0][0].get('request_data').get('tenants')[0] == expected
+
+
 def test_get_xql_query_results_success_under_1000(mocker):
     """
     Given:

Packs/CortexXDR/ReleaseNotes/4_11_6.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### Cortex XDR - XQL Query Engine
+
+- Fixed an issue in the ***xdr-xql-generic-query*** command where the *tenant_id* argument wasn't used.
+- Updated the Docker image to: *demisto/python3:3.10.12.63474*.

Packs/CortexXDR/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "4.11.5",
+    "currentVersion": "4.11.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",