Update default (#3574)

eric-forte-elastic · web-flow · commit fbb6df506e64 · 2024-04-04T20:27:14.000-04:00
diff --git a/detection_rules/rule.py b/detection_rules/rule.py
@@ -1405,7 +1405,7 @@ def get_unique_query_fields(rule: TOMLRule) -> List[str]:
 
         cfg = set_eql_config(rule.contents.metadata.get('min_stack_version'))
         with eql.parser.elasticsearch_syntax, eql.parser.ignore_missing_functions, eql.parser.skip_optimizations, cfg:
-            parsed = kql.parse(query, normalize_kql_keywords=True) if language == 'kuery' else eql.parse_query(query)
+            parsed = kql.parse(query) if language == 'kuery' else eql.parse_query(query)
 
         return sorted(set(str(f) for f in parsed if isinstance(f, (eql.ast.Field, kql.ast.Field))))
 
diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py
@@ -36,7 +36,7 @@ class KQLValidator(QueryValidator):
 
     @cached_property
     def ast(self) -> kql.ast.Expression:
-        return kql.parse(self.query, normalize_kql_keywords=True)
+        return kql.parse(self.query)
 
     @cached_property
     def unique_fields(self) -> List[str]:
@@ -80,7 +80,7 @@ def validate_stack_combos(self, data: QueryRuleData, meta: RuleMeta) -> Union[KQ
                                                                     beats_version, ecs_version)
 
             try:
-                kql.parse(self.query, schema=schema, normalize_kql_keywords=True)
+                kql.parse(self.query, schema=schema)
             except kql.KqlParseError as exc:
                 message = exc.error_msg
                 trailer = err_trailer
@@ -135,7 +135,7 @@ def validate_integration(
 
             # Validate the query against the schema
             try:
-                kql.parse(self.query, schema=integration_schema, normalize_kql_keywords=True)
+                kql.parse(self.query, schema=integration_schema)
             except kql.KqlParseError as exc:
                 if exc.error_msg == "Unknown field":
                     field = extract_error_field(self.query, exc)
diff --git a/detection_rules/utils.py b/detection_rules/utils.py
@@ -241,7 +241,7 @@ def convert_time_span(span: str) -> int:
 
 def evaluate(rule, events):
     """Evaluate a query against events."""
-    evaluator = kql.get_evaluator(kql.parse(rule.query, normalize_kql_keywords=True))
+    evaluator = kql.get_evaluator(kql.parse(rule.query))
     filtered = list(filter(evaluator, events))
     return filtered
 
diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py
@@ -67,7 +67,7 @@ def test_all_rule_queries_optimized(self):
                 )
             ):
                 source = rule.contents.data.query
-                tree = kql.parse(source, optimize=False, normalize_kql_keywords=True)
+                tree = kql.parse(source, optimize=False)
                 optimized = tree.optimize(recursive=True)
                 err_message = f'\n{self.rule_str(rule)} Query not optimized for rule\n' \
                               f'Expected: {optimized}\nActual: {source}'

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ def test_all_rule_queries_optimized(self):`
`67`	`67`	`)`
`68`	`68`	`):`
`69`	`69`	`source = rule.contents.data.query`
`70`		`- tree = kql.parse(source, optimize=False, normalize_kql_keywords=True)`
	`70`	`+ tree = kql.parse(source, optimize=False)`
`71`	`71`	`optimized = tree.optimize(recursive=True)`
`72`	`72`	`err_message = f'\n{self.rule_str(rule)} Query not optimized for rule\n' \`
`73`	`73`	`f'Expected: {optimized}\nActual: {source}'`