Fix: EQL Double quotation issue (#90)

SigmaHQ · Nov 3, 2024 · 57efb84 · 57efb84
1 parent 869b54d
commit 57efb84
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 2 deletions.
diff --git a/sigma/backends/elasticsearch/elasticsearch_eql.py b/sigma/backends/elasticsearch/elasticsearch_eql.py
@@ -150,7 +150,7 @@ class EqlBackend(TextQueryBackend):
 
     # Value not bound to a field
     # Expression for string value not bound to a field as format string with placeholder {value}
-    unbound_value_str_expression: ClassVar[str] = '"{value}"'
+    unbound_value_str_expression: ClassVar[str] = '{value}'
     # Expression for number value not bound to a field as format string with placeholder {value}
     unbound_value_num_expression: ClassVar[str] = "{value}"
 

diff --git a/tests/test_backend_elasticsearch_eql.py b/tests/test_backend_elasticsearch_eql.py
@@ -442,7 +442,37 @@ def test_elasticsearch_eql_windash_contains(eql_backend: EqlBackend):
         """
             )
         )
-        == ['any where fieldname like~ ("*-param-name*", "*/param-name*", "*–param-name*", "*—param-name*", "*―param-name*")']
+        == [
+            'any where fieldname like~ ("*-param-name*", "*/param-name*", "*–param-name*", "*—param-name*", "*―param-name*")'
+        ]
+    )
+
+
+def test_eql_keyword_quotes(eql_backend: EqlBackend):
+    """Test for NDJSON output with embedded query string query."""
+    rule = SigmaCollection.from_yaml(
+        """
+            title: Test
+            id: c277adc0-f0c4-42e1-af9d-fab062992156
+            status: test
+            logsource:
+                category: test_category
+                product: test_product
+            detection:
+                keywords:
+                    - keywordA
+                    - keywordB
+                sel:
+                    Field: 
+                      - 1234
+                      - 5678
+                condition: sel and keywords
+        """
+    )
+    result = eql_backend.convert(rule)
+    assert (
+        result[0]
+        == 'any where (Field like~ (1234, 5678)) and ("keywordA" or "keywordB")'
     )
 
 
@@ -467,6 +497,33 @@ def test_elasticsearch_eqlapi(eql_backend: EqlBackend):
     assert result[0] == {"query": 'any where fieldA:"valueA" and fieldB:"valueB"'}
 
 
+def test_eql_keyword_quotes_eqlapi(eql_backend: EqlBackend):
+    """Test for NDJSON output with embedded query string query."""
+    rule = SigmaCollection.from_yaml(
+        """
+            title: Test
+            id: c277adc0-f0c4-42e1-af9d-fab062992156
+            status: test
+            logsource:
+                category: test_category
+                product: test_product
+            detection:
+                keywords:
+                    - keywordA
+                    - keywordB
+                sel:
+                    Field: 
+                      - 1234
+                      - 5678
+                condition: sel and keywords
+        """
+    )
+    result = eql_backend.convert(rule, output_format="eqlapi")
+    assert result[0] == {
+        "query": 'any where (Field like~ (1234, 5678)) and ("keywordA" or "keywordB")'
+    }
+
+
 def test_lucene_reference_query(eql_backend: EqlBackend):
     with pytest.raises(
         SigmaFeatureNotSupportedByBackendError,