1. Logpoint Service Desk
  2. Community
  3. SIEM - Use Cases

Why this error message ? '}'

Avatar
Follow
0

Hi,

I come to you because I have an error when I execute folloing query. Could any one help me please ?

Here is my quary :

(MsWinEventLog OR norm_id=WinServer*) label=Object label=Access  (access_list=\"*4417*\" OR access=\"*WriteData*\") {{user},}, {{fileshare},}, {{path},},  -relative_target in SYSTEM_PATHS | rename relative_target as Object, share_path as Path |  chart count() by user, device_name, object_type,Path, Object | fields user, device_name, object_type, Path, Object

and when I execute this query I receive these error message :

Thanks in advance
Looking forward to reading you

Share This Post:

2 comments

Date Votes
0
Avatar
Gustav Elkjær Rødsgaard

Hi Micropole,

I’m not entirely sure why your query looks like that. However after some testing i got it working with a modified version like below:

(MsWinEventLog OR norm_id=WinServer*) label=Object label=Access (access_list="*4417*" OR access="*WriteData*")

-relative_target in SYSTEM_PATHS

| rename relative_target as Object, share_path as Path

| chart count() by user, device_name, object_type,Path, Object

| fields user, device_name, object_type, Path, Object

You have to have the list “SYSTEM_PATHS” in the Logpoint for the query to work aswell.

Best Regards,
Gustav

0
Avatar
Micropole

Hi Gustav,

Thank you so much. It works know.

Best Regards,

Please sign in to leave a comment.