Parser fields don't match detection query fileds

[aleixsb]

Hi!

It's possible that the published parser is not the latest version? I'm seeing some inconsistencies with the fields parsed and the fields used at the queries, or I'm doing something wrong...

Ex:
Parser --> EventID
Detection --> event_id

Sysmon event 1

Parser --> process_parent_path
Detection --> process_parent_name

[netevert]

Hi @aleixsb yes that is correct. We are primarily focusing on porting the rules from SPL to Kusto. There are still minor inconsistencies, including the one you just pointed out, that need to be hunted down and fixed. Thanks for reporting this; I'll fix it as soon as possible.