Summary
Several hunting queries in the library contained invalid ES|QL syntax that would cause query failures during execution. This PR fixes syntax errors across 6 hunting queries spanning AWS, Azure, Linux, Okta, and Windows platforms.
Issues Fixed
| File |
Issue |
Fix |
servicequotas_discovery_multi_region_get_service_quota_calls.toml |
Single = used instead of == for comparison |
Changed event.provider = "servicequotas..." to event.provider == "servicequotas..." |
entra_authentication_attempts_behind_rare_user_agents.toml |
Integer comparison in IN clause fails for mapped field; trailing or with no operand |
Cast field to string with ::STRING and compare against string values; removed trailing or |
persistence_via_malicious_docker_container.toml |
Incorrect index pattern logs-endpoint.events.network-* |
Changed to logs-endpoint.* |
persistence_via_web_shell.toml |
Incorrect index pattern logs-endpoint.events.network-* |
Changed to logs-endpoint.* |
credential_access_rapid_reset_password_requests_for_different_users.toml |
Missing field in KEEP clause; incomplete stats aggregation syntax |
Added source.user.full_name to KEEP; changed reset_counts = to reset_counts = count(*) |
execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml |
Invalid now(-) function call |
Changed now(-) to now() |
Categories of Fixes
- Comparison Operators - Using assignment
= instead of equality ==
- Type Casting - Integer values compared against mapped string fields require explicit casting
- Index Patterns - Incorrect or overly specific index patterns
- Syntax Errors - Trailing operators, missing aggregation functions, invalid function arguments
- Missing Fields - Fields used in
stats must be included in KEEP clause
Testing
Summary
Several hunting queries in the library contained invalid ES|QL syntax that would cause query failures during execution. This PR fixes syntax errors across 6 hunting queries spanning AWS, Azure, Linux, Okta, and Windows platforms.
Issues Fixed
servicequotas_discovery_multi_region_get_service_quota_calls.toml=used instead of==for comparisonevent.provider = "servicequotas..."toevent.provider == "servicequotas..."entra_authentication_attempts_behind_rare_user_agents.tomlINclause fails for mapped field; trailingorwith no operand::STRINGand compare against string values; removed trailingorpersistence_via_malicious_docker_container.tomllogs-endpoint.events.network-*logs-endpoint.*persistence_via_web_shell.tomllogs-endpoint.events.network-*logs-endpoint.*credential_access_rapid_reset_password_requests_for_different_users.tomlKEEPclause; incompletestatsaggregation syntaxsource.user.full_nametoKEEP; changedreset_counts =toreset_counts = count(*)execution_via_windows_scheduled_task_with_low_occurrence_frequency.tomlnow(-)function callnow(-)tonow()Categories of Fixes
=instead of equality==statsmust be included inKEEPclauseTesting