tellaro-query-language 0.2.11__tar.gz → 0.2.13__tar.gz

{tellaro_query_language-0.2.11 → tellaro_query_language-0.2.13}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: tellaro-query-language
-Version: 0.2.11
+Version: 0.2.13
 Summary: A flexible, human-friendly query language for searching and filtering structured data
 License: Proprietary
 License-File: LICENSE

{tellaro_query_language-0.2.11 → tellaro_query_language-0.2.13}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "tellaro-query-language"
-version = "0.2.11"
+version = "0.2.13"
 description = "A flexible, human-friendly query language for searching and filtering structured data"
 authors = ["Justin Henderson <justin@tellaro.io>"]
 license = "Proprietary"

{tellaro_query_language-0.2.11 → tellaro_query_language-0.2.13}/src/tql/mutators/dns.py

@@ -294,28 +294,17 @@ class NSLookupMutator(BaseMutator):
                     append_to_result(record, dns_field, results_array)
             # If no results, don't set any fields
 
-        # For enrichment mutators, return data for comparison
-        # The full enrichment data is stored via append_to_result above
-        # Return value is used for field comparison (e.g., contains 'dns.google')
-
-        if len(queries) == 1 and queries[0] in resolved_results:
-            # Single query: return the first answer for comparison
-            dns_data = resolved_results[queries[0]]
-            answers = dns_data.get("answers", [])
-            return answers[0] if answers else value  # Return first answer or original value
-        elif len(queries) > 1:
-            # Multiple queries: return array of first answers
-            first_answers = []
-            for query in queries:
-                if query in resolved_results:
-                    dns_data = resolved_results[query]
-                    answers = dns_data.get("answers", [])
-                    if answers:
-                        first_answers.append(answers[0])
-            return first_answers if first_answers else value
-        else:
-            # No results: return original value
-            return value
+        # For enrichment mutators, return the original value (not the DNS answer)
+        # This ensures the original field (e.g., destination.ip) is NOT overwritten
+        # The enrichment data (domain, dns) is already stored via append_to_result above
+        #
+        # IMPORTANT: We return the original value to prevent schema violations.
+        # For example, if destination.ip is typed as 'ip' in OpenSearch,
+        # returning a hostname like '170-114-14-33.zoom.us' would cause indexing errors.
+        #
+        # If the caller needs the resolved DNS name for comparison, they should
+        # access it via the domain field (e.g., destination.domain contains 'google')
+        return value
 
     def _format_dns_ecs(  # noqa: C901
         self, query_value: str, records: List[Dict[str, Any]], query_types: List[str]

{tellaro_query_language-0.2.11 → tellaro_query_language-0.2.13}/src/tql/post_processor.py

@@ -701,19 +701,24 @@ class QueryPostProcessor:
             # Check if this is an enrichment mutator first
             from .mutators import ENRICHMENT_MUTATORS
 
-            # Check if we have geo/geoip_lookup enrichment mutator
+            # Check if we have geo/geoip_lookup or nslookup enrichment mutator
             is_geo_enrichment = False
+            is_nslookup_enrichment = False
             for mutator in requirement.mutators:
                 mutator_name = mutator.get("name", "").lower()
                 if mutator_name in ["geo", "geoip_lookup"]:
                     is_geo_enrichment = True
-                    break
+                elif mutator_name == "nslookup":
+                    is_nslookup_enrichment = True
+
+            # Skip field transformation for enrichment mutators (they add data, not transform)
+            is_any_enrichment = is_geo_enrichment or is_nslookup_enrichment
 
-            if should_transform_output and not is_geo_enrichment:
+            if should_transform_output and not is_any_enrichment:
                 # Update the result with the mutated value
                 # Use the original field name for the output
                 self._set_field_value(result, requirement.field_name, mutated_value)
-            elif not is_geo_enrichment:
+            elif not is_any_enrichment:
                 # For type-changing mutators with filtering operations, store in temp field
                 temp_field_name = self._get_mutated_field_name(requirement.field_name)
                 self._set_field_value(result, temp_field_name, mutated_value)
@@ -750,6 +755,10 @@ class QueryPostProcessor:
                         if "as" in mutated_value:
                             result["enrichment"]["as"] = mutated_value["as"]
 
+            # Handle nslookup enrichment - the mutator already adds domain/dns via append_to_result
+            # We just need to ensure the original field value is preserved (don't overwrite)
+            # The nslookup mutator's apply() method handles enrichment storage via append_to_result()
+
             return enrichment_mutator_found
 
         except Exception: