security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #355 from agix/allow_empty_keyword

Browse Source 
Allow empty keyword_field
This commit is contained in:
Thomas Patzke
2019-05-28 21:45:55 +02:00
committed by GitHub
parent 2ecc55c13f 4168c0ec64
commit 04d91573f3
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/elasticsearch.py
+7 -3
View File
@@ -55,6 +55,10 @@ class ElasticsearchWildcardHandlingMixin(object):
Determine if values contain wildcards. If yes, match on keyword field else on analyzed one.
Decide if field value should be quoted based on the field name decision and store it in object property.
"""
if self.keyword_field == '':
self.matchKeyword = True
return fieldname
if fieldname not in self.blacklist and (
type(value) == list and any(map(self.containsWildcard, value)) \
or self.containsWildcard(value)
@@ -648,7 +652,7 @@ class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend):
if parsed.parsedAgg:
if parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_COUNT or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MIN or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_MAX or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_AVG or parsed.parsedAgg.aggfunc == sigma.parser.condition.SigmaAggregationParser.AGGFUNC_SUM:
if parsed.parsedAgg.groupfield is not None:
rule_object['query_key'] = parsed.parsedAgg.groupfield + ".keyword"
rule_object['query_key'] = self.fieldNameMapping(parsed.parsedAgg.groupfield, '*')
rule_object['type'] = "metric_aggregation"
rule_object['buffer_time'] = interval
rule_object['doc_type'] = "doc"
@@ -659,7 +663,7 @@ class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend):
rule_object['metric_agg_type'] = parsed.parsedAgg.aggfunc_notrans
if parsed.parsedAgg.aggfield:
rule_object['metric_agg_key'] = parsed.parsedAgg.aggfield + ".keyword"
rule_object['metric_agg_key'] = self.fieldNameMapping(parsed.parsedAgg.aggfield, '*')
else:
rule_object['metric_agg_key'] = "_id"
@@ -754,7 +758,7 @@ class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend):
if idx == agg.aggfunc:
funcname = name
break
raise NotImplementedError("%s : The '%s' aggregation operator is not yet implemented for this backend"%(self.title, funcname))
raise NotImplementedError("%s : The '%s' aggregation operator is not yet implemented for this backend"%(self.title, funcname))
def convertLevel(self, level):
return {