Threat detection EQL error

zhixiang_hao · September 13, 2022, 6:50am

Does anyone know what's causing it?

justin_ibarra · September 13, 2022, 10:51pm

Hi there, it looks like you are mixing up syntax in that field with KQL syntax. Correct usage would be:

powershell.file.script_block_text : ("MiniDumpWriteDump", "MiniDumpWithFullMemory", "pmuDetirWpmuDiniM")

zhixiang_hao · September 14, 2022, 1:19am

哈哈，i'm sorry,thank you help me

Topic		Replies	Views
KQL Comprehensive Tutorial on Event Correlation Rules SIEM docker	4	1175	December 26, 2022
EQL signal query return with error SIEM	2	376	March 25, 2021
Eql query usage in watcher/siem detection rules SIEM elastic-stack-alerting	1	484	December 17, 2020
EQL syntax error? Elastic Security eql-elastic-query-language	4	1609	July 28, 2021
EQL to query DSL: how to Convert EQL to SQL or DSL? Elastic Security	1	1223	November 4, 2022