Threat detection EQL error

zhixiang_hao · September 13, 2022, 6:50am

Does anyone know what's causing it?

justin_ibarra · September 13, 2022, 10:51pm

Hi there, it looks like you are mixing up syntax in that field with KQL syntax. Correct usage would be:

powershell.file.script_block_text : ("MiniDumpWriteDump", "MiniDumpWithFullMemory", "pmuDetirWpmuDiniM")

zhixiang_hao · September 14, 2022, 1:19am

哈哈，i'm sorry,thank you help me

system · October 12, 2022, 1:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
EQL rules are wrong, God help me Elastic Security	7	386	October 20, 2022
EQL syntax error? Elastic Security eql-elastic-query-language	4	1486	July 28, 2021
Problem with EQL sequence by with field containing reserved characters Elastic Security	5	186	May 25, 2024
Syntax error shown in EQL queries for correlation Elastic Security	1	426	March 10, 2022
Problem with PowerShell security rules that use process.args Elastic Security	3	406	April 3, 2023