Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport changes from Elasticsearch EQL #15

Closed
10 of 14 tasks
rw-access opened this issue Apr 10, 2020 · 0 comments
Closed
10 of 14 tasks

Backport changes from Elasticsearch EQL #15

rw-access opened this issue Apr 10, 2020 · 0 comments
Assignees

Comments

@rw-access
Copy link
Contributor

rw-access commented Apr 10, 2020

Context

EQL is being developed directly in Elasticsearch and can be tracked here: elastic/elasticsearch#51556

We've identified places where we need to tighten the semantics for EQL, make changes to existing behavior, or limit what can be expressed in the language. This meta issue is to track all the changes we need to back port to resolve incongruities between Endpoint and Elasticsearch EQL. This will help prepare users of EQL and Elastic endpoint security to make migration easier.

Changes will be tracked in the feature/backport branch.

Parser and validation updates

Runtime updates

  • function behavior: always propagate nulls from required arguments Implement SQL-consistent null and boolean handling #18
  • correct handling of three-value boolean logic (true, false, null) Implement SQL-consistent null and boolean handling #18
  • toggle-able case-sensitivity. right now, case-insensitivity is always on. we should add an option to turn this off, while preserving the default behavior. this parameter could be set by updating the config set to the parser or inspecting the rule metadata.
  • TBD: multi-valued functions (will make arraySearch and arrayContains redundant). this isn't actually supported yet within ES, which only uses scalar values for painless

To be determined

Test Suite

  • As changes are made, the test_queries.toml file should be updated
  • We should update the test suite to externalize multiple tests
    • syntax and parsing
    • semantics, type checking, verifying, etc
    • folding
    • run-time function evaluation
    • integration testing with query and result validation

cc @colings86 @costin @paulewing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant