Unrecognized keys error while creating custom detection rule from raw log

Hi Everyone

I am trying to create custom detection rule from raw logs but even my data is in Key value pair, I am getting Unrecognized keys error in LEQL rule logic section.

Please can anyone help me with that.


-Crossposted from other thread-

Hello hello!
A couple of things here, firstly, as the LEQL is valid you should still be able to save your rule as written. The message isn’t actually an error - as the rule is based on the ‘raw’ logs we are currently not able to provide schema validation, so we’re just letting you know that we can’t confirm it exists. However, if there are known examples of this happening previously, you can validate the query with the ‘Evaluate in log search’ option.
Secondly and just fyi, there are a few improvements we are working on in this exact area to help explain some of the frequently asked questions we are beginning to see when creating Custom Rules on raw and unparsed logs (along with some longer term ones to provide raw log schema validation) so please let us know if you have any more questions for us!

Thanks @nick_mifsud4 for response.
As it is just an alert not an error and also able to save rule. But can you confirm this rule will creates alert after logs detection as per logic and will work fine.

I can’t see any reason why not - if the keys exist and so on. Have you tried the query in Log Search to find any prior matches?

Yes I tried query in log search and works fine. So it should also work in detection rule correct ?

Yes, it should be grand then.