[Rule Tuning] Enumeration of Administrator Accounts #709
Assignees
Labels
Comments
1 task
|
I believe this was an intermittent issue because of the elasticsearch version that was used when tested. I think it's all sorted out. @spong can you confirm? |
Commented over on the PR as well, but the es snapshot on the test cluster is from ~month ago ( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rule
871ea072-1b71-4def-b016-6278b505138dEnumeration of Administrator Accountsis failing in both the API search and detection engine with the following error{ "error" : { "root_cause" : [ { "type" : "parsing_exception", "reason" : "line 6:27: no viable alternative at input '(((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\\n not process.parent.name : \"net.exe\")) and\\n process.args : (\"group\",'" } ], "type" : "parsing_exception", "reason" : "line 6:27: no viable alternative at input '(((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\\n not process.parent.name : \"net.exe\")) and\\n process.args : (\"group\",'", "caused_by" : { "type" : "no_viable_alt_exception", "reason" : null } }, "status" : 400 }I did not find any obvious issues with the query so we need to determine if it is a bug in EQL or the rule
REF: elastic/kibana#85506 (comment)
The text was updated successfully, but these errors were encountered: