Problem with EQL sequence by with field containing reserved characters

Hi,
i have the following error
line 1:56: mismatched input '.0' expecting {'with', '[', '!['}
with this EQL query:

sequence by azure.auditlogs.properties.target_resources.0.id with maxspan=24h 
[any where event.dataset == "azure.auditlogs" and event.outcome in ("Success", "success") and event.action == "Add user"]
[any where event.dataset == "azure.auditlogs" and event.outcome in ("Success", "success") and event.action == "Delete user"]

I tried to escape the 0 and surrounding the field with "" but i got the following errors:
line 1:57: token recognition error at: ''
line 1:11: Unsupported join key
Do you have any ideas to solve this problem ?

1 Like

Hi @llafortezza and welcome to the Elastic community!

Could you clarify what you want to achieve with this EQL?

Checking ECS mappings for azure.auditlogs.properties.target_resources I see this

azure.auditlogs.properties.target_resources.*.id
ID

type: keyword

There is a wildcard * inside which will match any field name. Do you have 0 field in azure.auditlogs.properties.target_resources?

Hi Maxim,
with this EQL i want to replicate this sigma rule.

Yes, i have 0 field in azure.auditlogs.properties.target_resources.
I tried to use azure.auditlogs.properties.target_resources.*.id as field but i got the following error.
line 1:57: no viable alternative at input 'azure.auditlogs.properties.target_resources.*'

@llafortezza you're correct that the numeric field name is what's causing the issue here. You should be able to escape the field name in order to allow EQL to parse it correctly:

sequence by `azure.auditlogs.properties.target_resources.0.id` with maxspan=24h 
[any where event.dataset == "azure.auditlogs" and event.outcome in ("Success", "success") and event.action == "Add user"]
[any where event.dataset == "azure.auditlogs" and event.outcome in ("Success", "success") and event.action == "Delete user"]

Thanks @RylandHerrick :grinning: Now it works.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.