How to close subfields when convert a sigma rule to dsl?

[leexuan]

When convert a sigma rule to dsl with the following command, the generated dsl contains subfields, like "ParentImage.keyword". Is there anyone know how to remove the ".keyword" part from "ParentImage.keyword"?

 python sigmac.py -t es-dsl -c sysmon /home/kali/Downloads/proc_creation_win_java_susp_child_process.yml

The result show as follows:

{
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "match_phrase": {
                "EventID": "1"
              }
            },
            {
              "wildcard": {
                "ParentImage.keyword": "*\\\\java.exe"
              }
            },
            {
              "bool": {
                "should": [
                  {
                    "wildcard": {
                      "Image.keyword": "*\\\\sh.exe"
                    }
                  },
                  {
                    "wildcard": {
                      "Image.keyword": "*\\\\bash.exe"
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    }
  }
}

[andurin]

Sorry but sigmac is far out of support. Please retry your use case using pysigma + this backend and have a look for the different already available pipelines or if you need to adjust the resulted query to your customized field names you may have a look to post processing pipelines.