Hi,
i have the following error
line 1:56: mismatched input '.0' expecting {'with', '[', '!['}
with this EQL query:
sequence by azure.auditlogs.properties.target_resources.0.id with maxspan=24h
[any where event.dataset == "azure.auditlogs" and event.outcome in ("Success", "success") and event.action == "Add user"]
[any where event.dataset == "azure.auditlogs" and event.outcome in ("Success", "success") and event.action == "Delete user"]
I tried to escape the 0 and surrounding the field with "" but i got the following errors:
line 1:57: token recognition error at: ''
line 1:11: Unsupported join key
Do you have any ideas to solve this problem ?
Hi Maxim,
with this EQL i want to replicate this sigma rule.
Yes, i have 0 field in azure.auditlogs.properties.target_resources.
I tried to use azure.auditlogs.properties.target_resources.*.id as field but i got the following error.
line 1:57: no viable alternative at input 'azure.auditlogs.properties.target_resources.*'
@llafortezza you're correct that the numeric field name is what's causing the issue here. You should be able to escape the field name in order to allow EQL to parse it correctly:
sequence by `azure.auditlogs.properties.target_resources.0.id` with maxspan=24h
[any where event.dataset == "azure.auditlogs" and event.outcome in ("Success", "success") and event.action == "Add user"]
[any where event.dataset == "azure.auditlogs" and event.outcome in ("Success", "success") and event.action == "Delete user"]
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
Now it works.