Hi,
I was wondering how to use multiple operators using EQL (Event Query Language).
My EQL query is :
any where office_hours == false and winlog.event_id == 4624 or winlog.event_id == 4625
I would like to add parenthesis so it would lead to :
office_hours == false AND (winlog.event_id == 4624 or winlog.event_id == 4625)
because currently it gives me logs when office_hours == true also so I suppose that without any parenthesis it interprets the query as :
(office_hours == false and winlog.event_id == 4624) OR (winlog.event_id == 4625)
But the parenthesis are not taken into account so I don't know what to do, I tried with (, { and [ but none of these work. I am aware of the syntax reference but there's no example in it. I also tried by adding a second time office_hours == false after the "OR" but it doesn't work either.
Is the only solution to make two distincts alerts ? One with 4624 and another with 4625.
Thanks !