Query String issues with "And", "OR" & Wildcard

[Psyhil89]

Hi,

First of of all thank you for the great project, I am still new to the world of elastic and especially elastalert.

I have got the basic alerting working however running into issues when loading up a rule yaml with few "and", "or" & "wildcards". Below is the query and the error I get.
If I remove the quotation symbol from the query string, then query loads but without exceptions defined and fires away anything matching event code or powershell.

I am probably not writing the query string correctly and wanted to see if can be guided to fix this?

alert:
- "email"
email:
- "redacted"
name: Suspicious_Download_From_Bitsadmin
description: Detects usage of bitsadmin downloading a file
index: winlogbeat-*
priority: 3
realert:
  minutes: 0
filter:
- query_string:
    query: "(event.code:"1" and winlog.channel:"Microsoft-Windows-Sysmon/Operational" and ( winlog.event_data.Image:"C:\Windows\System32\bitsadmin.exe" or winlog.event_data.OriginalFileName:"bitsadmin.exe") and winlog.event_data.CommandLine:(*transfer* or *create?download* or *resume?download* or *complete?download* or *addfile?download* or *create?persistence* or *addfile?persistence* or *resume?persistence*))"
type: any

Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/usr/local/lib/python3.8/dist-packages/elastalert2-2.1.1-py3.8.egg/elastalert/elastalert.py", line 2112, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/usr/local/lib/python3.8/dist-packages/elastalert2-2.1.1-py3.8.egg/elastalert/elastalert.py", line 2101, in main
    client = ElastAlerter(args)
  File "/usr/local/lib/python3.8/dist-packages/elastalert2-2.1.1-py3.8.egg/elastalert/elastalert.py", line 127, in __init__
    self.rules = self.rules_loader.load(self.conf, self.args)
  File "/usr/local/lib/python3.8/dist-packages/elastalert2-2.1.1-py3.8.egg/elastalert/loaders.py", line 156, in load
    rule = self.load_configuration(rule_file, conf, args)
  File "/usr/local/lib/python3.8/dist-packages/elastalert2-2.1.1-py3.8.egg/elastalert/loaders.py", line 217, in load_configuration
    rule = self.load_yaml(filename)
  File "/usr/local/lib/python3.8/dist-packages/elastalert2-2.1.1-py3.8.egg/elastalert/loaders.py", line 236, in load_yaml
    loaded = self.get_yaml(filename)
  File "/usr/local/lib/python3.8/dist-packages/elastalert2-2.1.1-py3.8.egg/elastalert/loaders.py", line 578, in get_yaml
    return read_yaml(filename)
  File "/usr/local/lib/python3.8/dist-packages/elastalert2-2.1.1-py3.8.egg/elastalert/yaml.py", line 8, in read_yaml
    return yaml.load(yamlContent, Loader=yaml.FullLoader)
  File "/usr/lib/python3/dist-packages/yaml/__init__.py", line 114, in load
    return loader.get_single_data()
  File "/usr/lib/python3/dist-packages/yaml/constructor.py", line 49, in get_single_data
    node = self.get_single_node()
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 36, in get_single_node
    document = self.compose_document()
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 55, in compose_document
    node = self.compose_node(None, None)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 82, in compose_node
    node = self.compose_sequence_node(anchor)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 111, in compose_sequence_node
    node.value.append(self.compose_node(node, index))
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 133, in compose_mapping_node
    item_value = self.compose_node(node, item_key)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/lib/python3/dist-packages/yaml/composer.py", line 127, in compose_mapping_node
    while not self.check_event(MappingEndEvent):
  File "/usr/lib/python3/dist-packages/yaml/parser.py", line 98, in check_event
    self.current_event = self.state()
  File "/usr/lib/python3/dist-packages/yaml/parser.py", line 438, in parse_block_mapping_key
    raise ParserError("while parsing a block mapping", self.marks[-1],
yaml.parser.ParserError: while parsing a block mapping
  in "<unicode string>", line 15, column 5:
        query: "(event.code:"1" and winl ... 
        ^
expected <block end>, but found '<scalar>'
  in "<unicode string>", line 15, column 26:
        query: "(event.code:"1" and winlog.channel:"Microsoft ... 
                             ^

[jertel]

You've got a few problems in your query. I suggest reading (perhaps studying even) this page: https://lucene.apache.org/core/2_9_4/queryparsersyntax.html

And then go into Kibana on your ES cluster, change to Lucene Query syntax and get the query working properly there. Once you have the query working in Kibana and returning the correct results, refer back to what you read in the link above to properly escape the quotations and backslack characters.

[Psyhil89]

Thank you @jertel!
I see the issues now. will study 👍 the page.