From eb0bcd7c9fa79bb2a87180ce13e33de906608cc7 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Thu, 28 Apr 2022 19:54:00 +0000
Subject: [PATCH] updating hawk field translation, and bug when an author field
 is not present in a sig

---
 tools/config/hawk.yml        | 2 +-
 tools/sigma/backends/hawk.py | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml
index c99676763..fbfbf754d 100644
--- a/tools/config/hawk.yml
+++ b/tools/config/hawk.yml
@@ -562,4 +562,4 @@ fieldmappings:
   sc-bytes: http_content_length
   user-agent: http_user_agent
   cs-User-Agent: http_user_agent
-  r-dns: ip_dst_host
+  r-dns: http_host
diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py
index 32b845d31..e5069a059 100644
--- a/tools/sigma/backends/hawk.py
+++ b/tools/sigma/backends/hawk.py
@@ -643,7 +643,10 @@ class HAWKBackend(SingleTextQueryBackend):
             raise Exception("Failed to parse json: %s" % analytic_txt)
 
         cmt = "Sigma Rule: %s\n" % sigmaparser.parsedyaml['id'] 
-        cmt += "Author: %s\n" % sigmaparser.parsedyaml['author'] 
+        if 'author' in sigmaparser.parsedyaml:
+            cmt += "Author: %s\n" % sigmaparser.parsedyaml['author'] 
+        else:
+            cmt += "Author: Unknown\n"
         cmt += "Level: %s\n" % sigmaparser.parsedyaml['level'] 
         if 'falsepositives' in sigmaparser.parsedyaml and type(sigmaparser.parsedyaml['falsepositives']) is list:
             if len(sigmaparser.parsedyaml['falsepositives']) > 0: