Problem in logical operator execution order : WHERE vs SEARCH

[IgorHrkswxryski]

Hello,

It seems there is a problem in tstat searches in terms of logical operator execution order.
I am trying to convert in tstat search the following rule :

title: Windows Schtasks Create Run As System
id: 41a0e58e-884c-11ec-9976-acde48001122
status: stable
description: The analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe.
author: author
date: 2024/01/01
tags:
  - attack.execution
  - attack.persistence
  - attack.privilege_escalation
  - attack.t1053.005
logsource:
  category: process_creation
  product: windows
detection:
  selection_1:
    CommandLine: "schtasks.exe"
  selection_2:
    OriginalFileName: "schtasks.exe"
  selection_3:
    CommandLine|contains: "*/create *"
    CommandLine|endswith: "*/ru *system"
  condition: (selection_1 or selection_2) and selection_3
type: TTP
level: medium

This give me the following result :
| tstats [...] from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe Processes.process="*/create *" AND Processes.process="*/ru *" AND Processes.process="*system*" by Processes.dest [...]

The logical operator priority seems to be wrong as i want instead (notice the brackets):
| tstats [...] from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) Processes.process="*/create *" AND Processes.process="*/ru *" AND Processes.process="*system*" by Processes.dest [...]

There are differences in terms of logical operator priority between SEARCH and WHERE commands in splunk :
https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/Booleanexpressions

Thanks in advance for your return !

[thomaspatzke]

Thanks for bringing this up, flagged as bug.

[thomaspatzke]

I checked it again and done some tests. The tstats where expression follows indeed the semantics of search. Therefore, this is not a bug.