feat: ✨ Add exists modifer for lucene (#117)

frack113 · web-flow · commit 7455d58be423 · 2025-01-27T13:35:08.000+01:00
diff --git a/sigma/backends/elasticsearch/elasticsearch_lucene.py b/sigma/backends/elasticsearch/elasticsearch_lucene.py
@@ -134,6 +134,10 @@ class LuceneBackend(TextQueryBackend):
     # List element separator
     list_separator: ClassVar[str] = " OR "
 
+    # Check if a field exists in the log not the value
+    field_exists_expression: ClassVar[str] = "_exists_:{field}"
+    field_not_exists_expression: ClassVar[str] = "NOT _exists_:{field}"
+    
     # Value not bound to a field
     # Expression for string value not bound to a field as format string with placeholder {value}
     unbound_value_str_expression: ClassVar[str] = "*{value}*"
diff --git a/tests/test_backend_elasticsearch_lucene.py b/tests/test_backend_elasticsearch_lucene.py
@@ -484,6 +484,26 @@ def test_lucene_windash_contains(lucene_backend: LuceneBackend):
         ]
     )
 
+def test_elasticsearch_exists(lucene_backend: LuceneBackend):
+    assert (
+        lucene_backend.convert(
+            SigmaCollection.from_yaml(
+                """
+                title: Test
+                status: test
+                logsource:
+                    category: test_category
+                    product: test_product
+                detection:
+                    sel:
+                        fieldA|exists: yes
+                        fieldB|exists: no
+                    condition: sel
+            """
+            )
+        )
+        == ['_exists_:fieldA AND NOT _exists_:fieldB']
+    )
 
 def test_lucene_reference_query(lucene_backend: LuceneBackend):
     with pytest.raises(
