From e3040d80198c4d4957b4e2b52fa2bf01c8d14e00 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Tue, 13 Sep 2022 11:38:29 -0400
Subject: [PATCH] [Bug] Keyerror on rule-survey hits (#2293)

---
 detection_rules/eswrap.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/detection_rules/eswrap.py b/detection_rules/eswrap.py
index 75bb05f09..5d8bab633 100644
--- a/detection_rules/eswrap.py
+++ b/detection_rules/eswrap.py
@@ -39,9 +39,17 @@ def parse_unique_field_results(rule_type: str, unique_fields: List[str], search_
     hits = hits['hits'] if rule_type != 'eql' else hits.get('events') or hits.get('sequences', [])
     for hit in hits:
         for field in unique_fields:
-            match = nested_get(hit['_source'], field)
-            if not match:
-                continue
+            if 'events' in hit:
+                match = []
+                for event in hit['events']:
+                    matched = nested_get(event['_source'], field)
+                    match.extend([matched] if not isinstance(matched, list) else matched)
+                    if not match:
+                        continue
+            else:
+                match = nested_get(hit['_source'], field)
+                if not match:
+                    continue
 
             match = ','.join(sorted(match)) if isinstance(match, list) else match
             parsed_results[field][match] += 1