Fix: Feature not supported on fieldref modifier

As @defensivedepth recognized there is an upcoming modifier called "fieldref" which aims to use a field reference for comparision.

As far as I know:

EQL: Can't handle fieldreferences.
Lucene: May can handle fieldreference while using scripted queries. This isn't implemented yet and also not planned yet.

FTR - it could be something like this:

{
  "query": {
    "bool": {
      "must": [
        {
          "script": {
            "script": {
              "source": "doc['field1'].value > doc['field2'].value"
            }
          }
        }
      ]
    }
  }
}

But this may be a expensive search since the script will be applied to each document within the index.

SigmaHQ / pySigma-backend-elasticsearch

Fix: Feature not supported on fieldref modifier #64