pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

ES|QL Index list handling

Open WildDogOne opened this issue 6 months ago • 0 comments

I have noticed that the ES|QL backend does not differentiate between string or list of strings. Because of this, if there is a pipeline which adds a list of strings the output will be wrong Example:

  - id: Firewall
    type: set_state
    key: "index"
    val:
      - logs-panw.panos-*
      - logs-cisco.ftd-*
      - logs-cisco.asa-*
    rule_conditions:
      - type: logsource
        category: firewall

translates to:

from ['logs-panw.panos-*', 'logs-cisco.ftd-*', 'logs-cisco.asa-*']

it should translate to

from logs-panw.panos-*,logs-cisco.ftd-*,logs-cisco.asa-*

The obvious fix, is to make one comaseperated list in the pipeline instead. But I also think that goes against the mentality of yaml

https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/bb0c64c47a544411060999d677f1a1047de241b4/sigma/backends/elasticsearch/elasticsearch_esql.py#L26

WildDogOne avatar Aug 19 '24 19:08 WildDogOne