Open rtkmaryang opened 5 days ago
The below code shows the opposite check for the field existence check for sigma rules https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/43fb3ba3945c143fb5912bb02e8f35bf5bcd22c5/sigma/backends/elasticsearch/elasticsearch_esql.py#L98-L100
When parsing below rule to ESQL, the condition for existence check is opposite
title: Foo bar id: 37f81956-cd70-4d0d-8e0d-95229e13f3ab name: foo-bar status: experimental logsource: product: windows service: sysmon detection: mandatory_fields_hostname_exist: host.hostname|exists: true condition: > 1 of mandatory_fields_*_exist level: high
The generated ESQL is:
from * | where host.hostname is null
Expected generated ESQL
from * | where host.hostname is NOT null
The below code shows the opposite check for the field existence check for sigma rules https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/43fb3ba3945c143fb5912bb02e8f35bf5bcd22c5/sigma/backends/elasticsearch/elasticsearch_esql.py#L98-L100
When parsing below rule to ESQL, the condition for existence check is opposite
The generated ESQL is:
Expected generated ESQL