Hi All,
I've made a custom detection rule to detect windows defender events related to malware or stop based on the below documentation:
The query is as bellow:
winlog.event_id: "1002" or "1003" or "1005" or "1006" or "1007" or "1008" or "1013" or "1116" or "1117" or "1118"
But I'm getting false positives where the rule is triggered on events other than the ones listed in the rule.
Any help on this is really appreciated.
Regards,
Hi,
Can you rephrase the query like this:
winlog.event_id:( 1002 or 1003 or 1005 or 1006 or 1007 or 1008 or 1013 or 1116 or 1117 or 1118)
Thanks,
Termcap
perfect this worked, but what is the difference between the query I've done and the one you provided?
Regards,
I'm not completely sure but there are two things I can see here:
When you don't group the values inside a bracket the query becomes something like winlog.event_id: "10002" OR "1003" OR "1234" and the field name winlog.event_id does not apply to "1003" and "1234"
secondly when you quote the value its treated as a string and not number.
I use the format I suggested because this is the kind of format I see being used in the default detection rules.
Thanks,
Termcap
Perfect, many thanks.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
