From fa3b089c4c22d4c9a042c44865a01e04c002d701 Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Thu, 28 Oct 2021 08:57:43 -0500
Subject: [PATCH] Add support for eql-wildcard and kql-match_only_text (#1583)

* Add support for eql-wildcard and kql-match_only_text
* bump kql version
* lookup elasticsearch type family prior to getting type hint
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit d12c04761f15daa7844648bc9379f43f28d8ed9c)
---
 detection_rules/ecs.py | 12 ++++++++----
 kql/__init__.py        |  2 +-
 kql/parser.py          |  1 +
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/detection_rules/ecs.py b/detection_rules/ecs.py
index a5af5956d..e03555c13 100644
--- a/detection_rules/ecs.py
+++ b/detection_rules/ecs.py
@@ -175,9 +175,10 @@ class KqlSchema2Eql(eql.Schema):
         "keyword": eql.types.TypeHint.String,
         "ip": eql.types.TypeHint.String,
         "float": eql.types.TypeHint.Numeric,
-        "double": eql.types.TypeHint.Numeric,
-        "long": eql.types.TypeHint.Numeric,
-        "short": eql.types.TypeHint.Numeric,
+        # "double": eql.types.TypeHint.Numeric,
+        # "long": eql.types.TypeHint.Numeric,
+        # "short": eql.types.TypeHint.Numeric,
+        "integer": eql.types.TypeHint.Numeric,
         "boolean": eql.types.TypeHint.Boolean,
     }
 
@@ -191,9 +192,12 @@ class KqlSchema2Eql(eql.Schema):
         return True
 
     def get_event_type_hint(self, event_type, path):
+        from kql.parser import elasticsearch_type_family
+
         dotted = ".".join(path)
         elasticsearch_type = self.kql_schema.get(dotted)
-        eql_hint = self.type_mapping.get(elasticsearch_type)
+        es_type_family = elasticsearch_type_family(elasticsearch_type)
+        eql_hint = self.type_mapping.get(es_type_family)
 
         if eql_hint is not None:
             return eql_hint, None
diff --git a/kql/__init__.py b/kql/__init__.py
index 59c73243a..2c6b0ef23 100644
--- a/kql/__init__.py
+++ b/kql/__init__.py
@@ -13,7 +13,7 @@ from .evaluator import FilterGenerator
 from .kql2eql import KqlToEQL
 from .parser import lark_parse, KqlParser
 
-__version__ = '0.1.5'
+__version__ = '0.1.6'
 __all__ = (
     "ast",
     "from_eql",
diff --git a/kql/parser.py b/kql/parser.py
index bdf66ae05..b92863f73 100644
--- a/kql/parser.py
+++ b/kql/parser.py
@@ -58,6 +58,7 @@ def elasticsearch_type_family(mapping_type: str) -> str:
         # text search types
         "annotated-text": "text",
         "completion": "text",
+        "match_only_text": "text",
         "search-as_you_type": "text",
 
         # keyword