Skip to content

The field process.command_line needs to be keyword type for EQL threat detection example #61352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ywangd opened this issue Aug 20, 2020 · 2 comments · Fixed by #61367
Closed

The field process.command_line needs to be keyword type for EQL threat detection example #61352

ywangd opened this issue Aug 20, 2020 · 2 comments · Fixed by #61367
Assignees
@jrodewig
Labels
:Analytics/EQL EQL querying >docs General docs changes Team:Docs Meta label for docs team Team:QL (Deprecated) Meta label for query languages team

Comments

@ywangd
Copy link
Member

ywangd commented Aug 20, 2020

The doc page has the following query example:

GET /my-index-000001/_eql/search
{
  "query": """
    process where process.name == "regsvr32.exe" and process.command_line != null
  """
}

However the process.command_line field must be of keyword type for the above query to work. Otherwise, you'll get back an illegal_argument_exception. The doc test has this configuration in its build.gradle file so it works on CI. But the doc itself does not mention this. If an user just follow the documentation by straightaway bulk indexing the provided JSON file, he/she will encounter error at the above query.
@ywangd ywangd added >docs General docs changes :Analytics/EQL EQL querying labels Aug 20, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-ql (:Query Languages/EQL)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-docs (>docs)

@elasticmachine elasticmachine added Team:QL (Deprecated) Meta label for query languages team Team:Docs Meta label for docs team labels Aug 20, 2020
@jrodewig jrodewig self-assigned this Aug 20, 2020
@jrodewig jrodewig mentioned this issue Aug 20, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jrodewig jrodewig

Labels
:Analytics/EQL EQL querying >docs General docs changes Team:Docs Meta label for docs team Team:QL (Deprecated) Meta label for query languages team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[DOCS] Fix EQL threat detection example
3 participants
@ywangd @elasticmachine @jrodewig