"-" charecter escape

anonymous

I want to create a rule for MSExchange, the query string for the rule was taken from Sigma rules and converted to a Lucene query format with the help of sigma converter. However, when I click the "test rule" it fails on escaping a dash charecter. I tried to remove the backslashes but it didn't work as well.

The configuration for the rule looks like below:

filter:
- query_string:
query: "winlog.channel:MSExchange\ Management AND ((event.code:(6 OR 8)) AND (winlog.event_data.Data:(*Cmdlet\ failed.\ Cmdlet\ Get-App,\ * OR Task\ Get-App\ throwing\ unhandled\ exception:\ System.InvalidCastException:)))"

When I click test rule it shows the following error:
unknown escape sequence at line 3, column 139: ... :(*Cmdlet\ failed.\ Cmdlet\ Get\-App,\ * OR *Task\ Get\-App\ thr ... ^
The error doesn't show the full text, just the pop-up window on the bottom right of the UI

SzymonC

Hi,

OK, so there are couple of things to cover here:

- sign was not an issue, the indentation was. Alerts are created in YAML structure and they are sensitive for indents. That's why it is always recommended to use formats from Example sections, where indents are already placed. IF you don't see Example button in Alerts, it is highly recommended to update system to newest version. Example below:
In this case, Sigma Converter did terrible job, this query was overcomplicated. You can always check your Lucene query in Discover module to see if it is working. For example your query is trying to escape white signs (spaces), while in general we don't do that. Lucene use " " marks. More info: https://lucene.apache.org/core/2_9_4/queryparsersyntax.html#Fields
We do escape special characters, like :. More info: https://lucene.apache.org/core/2_9_4/queryparsersyntax.html#Escaping%20Special%20Characters
When you have to use " " marks in Alert definition, you can use ' ' to close them withing query configuration, so: ' > ".
Example: query:'title:"Marry Had a Little Lamb" AND author:("Buddy Guy" OR "Lowell Mason")'

I've tried to fix that query and i think this is what you are looking for. Check it out. It works in my tests:

  filter:
    - query_string:
        query: 'winlog.channel:"MSExchange Management" AND event.code:(6 OR 8) AND winlog.event_data.Data:("*Cmdlet failed. Cmdlet Get-App*" OR "Task Get-App throwing unhandled exception\: System.InvalidCastException")'

Screen:

I hope this helps!

anonymous

Hello again, thank you for your reply, it really helped