pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

ESQL: Field existence check has opposite logic

Open rtkmaryang opened this issue 5 months ago • 0 comments

The below code shows the opposite check for the field existence check for sigma rules https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/43fb3ba3945c143fb5912bb02e8f35bf5bcd22c5/sigma/backends/elasticsearch/elasticsearch_esql.py#L98-L100

When parsing below rule to ESQL, the condition for existence check is opposite

title: Foo bar
id: 37f81956-cd70-4d0d-8e0d-95229e13f3ab
name: foo-bar
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  mandatory_fields_hostname_exist:
    host.hostname|exists: true
  condition: >
    1 of mandatory_fields_*_exist
level: high

The generated ESQL is:

from * | where host.hostname is null

Expected generated ESQL

from * | where host.hostname is NOT null

rtkmaryang avatar Sep 24 '24 00:09 rtkmaryang