Add support for eql-wildcard and kql-match_only_text (#1583)

* Add support for eql-wildcard and kql-match_only_text * bump kql version * lookup elasticsearch type family prior to getting type hint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> (cherry picked from commit d12c04761f)
2021-10-28 08:57:43 -05:00
parent 3e717800a8
commit fa3b089c4c
3 changed files with 10 additions and 5 deletions
@@ -175,9 +175,10 @@ class KqlSchema2Eql(eql.Schema):
        "keyword": eql.types.TypeHint.String,
        "ip": eql.types.TypeHint.String,
        "float": eql.types.TypeHint.Numeric,
-        "double": eql.types.TypeHint.Numeric,
-        "long": eql.types.TypeHint.Numeric,
-        "short": eql.types.TypeHint.Numeric,
+        # "double": eql.types.TypeHint.Numeric,
+        # "long": eql.types.TypeHint.Numeric,
+        # "short": eql.types.TypeHint.Numeric,
+        "integer": eql.types.TypeHint.Numeric,
        "boolean": eql.types.TypeHint.Boolean,
    }

@@ -191,9 +192,12 @@ class KqlSchema2Eql(eql.Schema):
        return True

    def get_event_type_hint(self, event_type, path):
+        from kql.parser import elasticsearch_type_family
+
        dotted = ".".join(path)
        elasticsearch_type = self.kql_schema.get(dotted)
-        eql_hint = self.type_mapping.get(elasticsearch_type)
+        es_type_family = elasticsearch_type_family(elasticsearch_type)
+        eql_hint = self.type_mapping.get(es_type_family)

        if eql_hint is not None:
            return eql_hint, None
@@ -13,7 +13,7 @@ from .evaluator import FilterGenerator
 from .kql2eql import KqlToEQL
 from .parser import lark_parse, KqlParser

-__version__ = '0.1.5'
+__version__ = '0.1.6'
 __all__ = (
    "ast",
    "from_eql",
@@ -58,6 +58,7 @@ def elasticsearch_type_family(mapping_type: str) -> str:
        # text search types
        "annotated-text": "text",
        "completion": "text",
+        "match_only_text": "text",
        "search-as_you_type": "text",

        # keyword