Merge pull request #48 from SigmaHQ/field-existence

Field (non)existence check expression
SigmaHQ · Jan 23, 2025 · dfd54ab · dfd54ab
2 parents 31f850a + 93ad69c
commit dfd54ab
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/sigma/backends/splunk/splunk.py b/sigma/backends/splunk/splunk.py
@@ -157,6 +157,8 @@ class SplunkBackend(TextQueryBackend):
     field_in_list_expression: ClassVar[str] = "{field} {op} ({list})"
     or_in_operator: ClassVar[Optional[str]] = "IN"
     list_separator: ClassVar[str] = ", "
+    field_exists_expression: ClassVar[str] = "{field}=*"
+    field_not_exists_expression: ClassVar[str] = "NOT {field}=*"
 
     unbound_value_str_expression: ClassVar[str] = "{value}"
     unbound_value_num_expression: ClassVar[str] = "{value}"

diff --git a/tests/test_backend_splunk.py b/tests/test_backend_splunk.py
@@ -376,6 +376,27 @@ def test_splunk_fieldref_or(splunk_backend: SplunkBackend):
             )
         )
 
+def test_splunk_exists(splunk_backend: SplunkBackend):
+    assert (
+        splunk_backend.convert(
+            SigmaCollection.from_yaml(
+                """
+                title: Test
+                status: test
+                logsource:
+                    category: test_category
+                    product: test_product
+                detection:
+                    sel:
+                        fieldA|exists: yes
+                        fieldB|exists: no
+                    condition: sel
+            """
+            )
+        )
+        == ['fieldA=* NOT fieldB=*']
+    )
+
 
 def test_splunk_fields_output(splunk_backend: SplunkBackend):
     rule = SigmaCollection.from_yaml(