[FR] Support missing events

[Mikaayenson]

Issues

Resolves #69

Details

Adds support for the negative feature used within elasticsearch sequences.

Testing

Unit tests should pass.

Additional Information

Related to elastic/detection-rules#3136

[terrancedejesus]

Looks good

[eric-forte-elastic]

LGTM 👍 Thanks for the walk through and good tests!

[Mikaayenson]

Once we merge this in, we will hold cutting a release until ipv6 cidmatch support is added (shortly after).

[eric-forte-elastic]

🟢 Independent package testing works as expected, LGTM 👍

Details

1. Checkout this branch
2. Run make clean to remove old eql library build
3. Run make and activate the build environment
4. Run the test code
5. Verify the output
6. Verify that the current version of eql is the newly build *.19 from when you ran make

Negation Test Code:

import eql

query = '''
sequence with maxspan=2m [any where process: "cmd.exe"] [any where process: "Fake.exe"]
'''
with eql.parser.elasticsearch_syntax, eql.parser.allow_negation:
    parsed = eql.parse_query(query, implied_any=True, implied_base=True)
data_to_filter = [{"process": "cmd.exe", "@timestamp": "2023-05-22T20:03:56.020Z"}, {"process": "bash.exe", "@timestamp": "2023-05-22T20:03:57.020Z"}]
filter_engine = eql.get_engine(parsed)
print(f"Original Query: {query}")
print(f"Output: {filter_engine(data_to_filter)}")


print("-" * 50)
query = '''
sequence with maxspan=2m [any where process: "cmd.exe"] ![any where process: "Fake.exe"]
'''
with eql.parser.elasticsearch_syntax, eql.parser.allow_negation:
    parsed = eql.parse_query(query, implied_any=True, implied_base=True)
filter_engine = eql.get_engine(parsed)
print(f"Negated Query: {query}")
print(f"Output: {filter_engine(data_to_filter)}")

[Mikaayenson]

Will bump before merging.

[brokensound77]

LGTM 👍

[terrancedejesus]

No other changes that I could find ✅