Merge pull request #48 from SigmaHQ/field-existence

Field (non)existence check expression

Author: thomaspatzke

sigma/backends/splunk/splunk.py

@@ -157,6 +157,8 @@ class SplunkBackend(TextQueryBackend):
     field_in_list_expression: ClassVar[str] = "{field} {op} ({list})"
     or_in_operator: ClassVar[Optional[str]] = "IN"
     list_separator: ClassVar[str] = ", "
+    field_exists_expression: ClassVar[str] = "{field}=*"
+    field_not_exists_expression: ClassVar[str] = "NOT {field}=*"
 
     unbound_value_str_expression: ClassVar[str] = "{value}"
     unbound_value_num_expression: ClassVar[str] = "{value}"

tests/test_backend_splunk.py

@@ -376,6 +376,27 @@ def test_splunk_fieldref_or(splunk_backend: SplunkBackend):
             )
         )
 
+def test_splunk_exists(splunk_backend: SplunkBackend):
+    assert (
+        splunk_backend.convert(
+            SigmaCollection.from_yaml(
+                """
+                title: Test
+                status: test
+                logsource:
+                    category: test_category
+                    product: test_product
+                detection:
+                    sel:
+                        fieldA|exists: yes
+                        fieldB|exists: no
+                    condition: sel
+            """
+            )
+        )
+        == ['fieldA=* NOT fieldB=*']
+    )
+
 
 def test_splunk_fields_output(splunk_backend: SplunkBackend):
     rule = SigmaCollection.from_yaml(