Giters

elastic / detection-rules

Home Page:https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Bug] Review KQL Semantic Validation of Wildcard Usage for Specific Field Types

terrancedejesus opened this issue · comments

commented

Related

Summary

As discussed and shown in #3316, the use of * wildcards in certain field types fail semantic validation via the KQL parser library, but should be allowed. This query is valid upstream in Discover or Kibana, but fails validation locally due to a bug in the custom KQL parser.

Example query to use for debugging:

host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and
  process.name:kworker* and not destination.ip: 192.168.*" or "172.*" or "10.*" or "127.*" or "169.254.*)

We should focus our debug efforts on

detection-rules/kql/parser.py

Line 354 in eafec1d

raise self.error(tree, "Unable to perform wildcard on field {field} of {type}",