Detection Rule with query issues

Hi All,

I've made a custom detection rule to detect windows defender events related to malware or stop based on the below documentation:

The query is as bellow:

winlog.event_id: "1002" or "1003" or "1005" or "1006" or "1007" or  "1008" or "1013" or  "1116" or "1117" or  "1118"

But I'm getting false positives where the rule is triggered on events other than the ones listed in the rule.

Any help on this is really appreciated.



Can you rephrase the query like this:

winlog.event_id:( 1002 or 1003 or 1005 or 1006 or 1007 or 1008 or 1013 or 1116 or 1117 or 1118)



perfect this worked, but what is the difference between the query I've done and the one you provided?


I'm not completely sure but there are two things I can see here:

When you don't group the values inside a bracket the query becomes something like winlog.event_id: "10002" OR "1003" OR "1234" and the field name winlog.event_id does not apply to "1003" and "1234"

secondly when you quote the value its treated as a string and not number.

I use the format I suggested because this is the kind of format I see being used in the default detection rules.


Perfect, many thanks.

1 Like