Hi folks!
I'm running a query, through EQL, for event correlation, however, it's returning a syntax error. The strange thing is that the same query is made in another Elastic SIEM and it doesn't return an error. Has anyone had these problems?
I currently use Elastic SIEM version 7.16.1 on both servers on one of them it worked. In the other not. I tested it on version 14 and it worked. This occurs on my second server that I monitor.
verification_exception: Found 2 problems line 2:5: Cannot use field [event.category] due to ambiguities being mapped as [2] incompatible types: [text] in [packetbeat-7.16.1, packetbeat-7.16.2, winlogbeat-7.15.0], [keyword] in [.ds-logs-endpoint.alerts-default-2022.01.07-000001
sequence with maxspan=2m
[ authentication where event.code == "4625" ]
[ network where destination.port == "3389" ]
