LIKE operator only added for events queries (#1521)

opencybersecurityalliance · Aug 25, 2023 · d6919c2 · d6919c2
1 parent a67253d
commit d6919c2
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/stix_shifter_modules/qradar/stix_translation/query_constructor.py b/stix_shifter_modules/qradar/stix_translation/query_constructor.py
@@ -131,7 +131,7 @@ def _parse_mapped_fields(self, expression, value, comparator, stix_field, mapped
                                                                                              value=value)
             else:
                 # There's no aql field for domain-name. using Like operator to find domian name from the url
-                if mapped_field == 'dnsdomainname' and comparator != ComparisonComparators.Like:
+                if self.dmm.dialect == 'events' and mapped_field == 'dnsdomainname' and comparator != ComparisonComparators.Like:
                     comparator = self.comparator_lookup["ComparisonComparators.Like"]
                     value = self._format_like(expression.value)
 

diff --git a/...dules/qradar/tests/stix_translation/qradar_stix_to_aql/test_qradar_flows_stix_to_query.py b/...dules/qradar/tests/stix_translation/qradar_stix_to_aql/test_qradar_flows_stix_to_query.py
@@ -127,7 +127,7 @@ def test_md5hash_query(self):
     def test_domainname_query(self):
         stix_pattern = "[domain-name:value = 'example.com']"
         query = _translate_query(stix_pattern)
-        where_statement = "WHERE dnsdomainname LIKE '%example.com%' {} {}".format(default_limit, default_time)
+        where_statement = "WHERE dnsdomainname = 'example.com' {} {}".format(default_limit, default_time)
         _test_query_assertions(query, selections, from_statement, where_statement)
 
     def test_filename_query(self):
@@ -235,7 +235,7 @@ def test_tlssni_query(self):
     def test_url_query(self):
         stix_pattern = "[url:value = 'example.com' ]"
         query = _translate_query(stix_pattern)
-        where_statement = "WHERE (dnsdomainname LIKE '%example.com%' OR tlsservernameindication LIKE '%example.com%' OR httphost LIKE '%example.com%') {} {}".format(default_limit, default_time)
+        where_statement = "WHERE (dnsdomainname = 'example.com' OR tlsservernameindication = 'example.com' OR httphost = 'example.com') {} {}".format(default_limit, default_time)
         _test_query_assertions(query, selections, from_statement, where_statement)
 
     def test_in_operators(self):