ESQL: Field existence check has opposite logic #78

rtkmaryang · 2024-09-24T00:53:53Z

The below code shows the opposite check for the field existence check for sigma rules

pySigma-backend-elasticsearch/sigma/backends/elasticsearch/elasticsearch_esql.py

Lines 98 to 100 in 43fb3ba

    
           # Field existence condition expressions. 
        
           field_exists_expression : ClassVar[str] = "{field} is null"          # Expression for field existence as format string with {field} placeholder for field name 
        
           field_not_exists_expression : ClassVar[str] = "{field} is not null"      # Expression for field non-existence as format string with {field} placeholder for field name. If not set, field_exists_expression is negated with boolean NOT.

When parsing below rule to ESQL, the condition for existence check is opposite

title: Foo bar
id: 37f81956-cd70-4d0d-8e0d-95229e13f3ab
name: foo-bar
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  mandatory_fields_hostname_exist:
    host.hostname|exists: true
  condition: >
    1 of mandatory_fields_*_exist
level: high

The generated ESQL is:

from * | where host.hostname is null

Expected generated ESQL

from * | where host.hostname is NOT null

The text was updated successfully, but these errors were encountered:

rtkmaryang changed the title ~~ESQL: Field existence check has opposite logic logic~~ ESQL: Field existence check has opposite logic Sep 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ESQL: Field existence check has opposite logic #78

ESQL: Field existence check has opposite logic #78

rtkmaryang commented Sep 24, 2024

ESQL: Field existence check has opposite logic #78

ESQL: Field existence check has opposite logic #78

Comments

rtkmaryang commented Sep 24, 2024