tellaro-query-language 0.2.12__py3-none-any.whl → 0.2.13__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: tellaro-query-language
3
- Version: 0.2.12
3
+ Version: 0.2.13
4
4
  Summary: A flexible, human-friendly query language for searching and filtering structured data
5
5
  License: Proprietary
6
6
  License-File: LICENSE
@@ -24,7 +24,7 @@ tql/geoip_normalizer.py,sha256=tvie-5xevJEeLp2KmjoXDjYdND8AvyVE7lCO8qgUzGY,10486
24
24
  tql/mutator_analyzer.py,sha256=OWx3k5lK5aFHWU9Ez6DaIhenEZDxj9CbB0vM71xqUTw,55670
25
25
  tql/mutators/__init__.py,sha256=eTK8sRw4KXXnTZTn5ETIqwcaIek5rSUIVyZsxTwNNHA,6966
26
26
  tql/mutators/base.py,sha256=4Ze_x1sTO11OILXfcF2XN7ttyHcZ4gwn96UXFMMaC6M,2523
27
- tql/mutators/dns.py,sha256=E4JmEyfZJO7OKpMsCb_jM-79xcQRcuEjzQSMBpRuNXo,15987
27
+ tql/mutators/dns.py,sha256=F0xlDLTRlkE-4j_1QUsaXWP_AnmBsLk1KdOyuRnu6ZI,15593
28
28
  tql/mutators/encoding.py,sha256=yt12BJrHAIJfBesP8VOSfVlvJqB1yOmEeT_8QDPvNN8,7985
29
29
  tql/mutators/geo.py,sha256=H-_5oDvuYaAG8Re17RkGjzCc6Z07YHd7Cr95g6JbnyE,16188
30
30
  tql/mutators/list.py,sha256=949ZrKKhL4INkH2Od8bq7Ey80kFX_23PEfRKueG82cU,7084
@@ -52,8 +52,8 @@ tql/stats_evaluator.py,sha256=2qnjeH5Qx14qpHDS_YJn9jRPeoPUfkeiYJabBagdfRs,36126
52
52
  tql/stats_transformer.py,sha256=MT-4rDWZSySgn4Fuq9H0c-mvwFYLM6FqWpPv2rHX-rE,7588
53
53
  tql/streaming_file_processor.py,sha256=cftWhYcvUo984P3ALf2CO3FoCQPJPe_2s2HLcXTp5UQ,12437
54
54
  tql/validators.py,sha256=e9MlX-zQ_O3M8YP8vXyMjKU8iiJMTh6mMK0iv0_4gTY,3771
55
- tellaro_query_language-0.2.12.dist-info/METADATA,sha256=RoDiW3dCxiaoBu39n0Xp9oBH3NWez8nZDjpL9gVhCNY,21892
56
- tellaro_query_language-0.2.12.dist-info/WHEEL,sha256=3ny-bZhpXrU6vSQ1UPG34FoxZBp3lVcvK0LkgUz6VLk,88
57
- tellaro_query_language-0.2.12.dist-info/entry_points.txt,sha256=D0lbIGUYuDyfcYeqju1rWcMBFzft4sZtfIlw5uPNx5g,181
58
- tellaro_query_language-0.2.12.dist-info/licenses/LICENSE,sha256=eWf8lkuXlVX_8WiDpUgQvzxc1cxCeVne_e6P-pVJpwM,3038
59
- tellaro_query_language-0.2.12.dist-info/RECORD,,
55
+ tellaro_query_language-0.2.13.dist-info/METADATA,sha256=zlOWkXgKW8JMf34FRObMq008u7sEYnqPd7EicwVlSKw,21892
56
+ tellaro_query_language-0.2.13.dist-info/WHEEL,sha256=3ny-bZhpXrU6vSQ1UPG34FoxZBp3lVcvK0LkgUz6VLk,88
57
+ tellaro_query_language-0.2.13.dist-info/entry_points.txt,sha256=D0lbIGUYuDyfcYeqju1rWcMBFzft4sZtfIlw5uPNx5g,181
58
+ tellaro_query_language-0.2.13.dist-info/licenses/LICENSE,sha256=eWf8lkuXlVX_8WiDpUgQvzxc1cxCeVne_e6P-pVJpwM,3038
59
+ tellaro_query_language-0.2.13.dist-info/RECORD,,
tql/mutators/dns.py CHANGED
@@ -294,28 +294,17 @@ class NSLookupMutator(BaseMutator):
294
294
  append_to_result(record, dns_field, results_array)
295
295
  # If no results, don't set any fields
296
296
 
297
- # For enrichment mutators, return data for comparison
298
- # The full enrichment data is stored via append_to_result above
299
- # Return value is used for field comparison (e.g., contains 'dns.google')
300
-
301
- if len(queries) == 1 and queries[0] in resolved_results:
302
- # Single query: return the first answer for comparison
303
- dns_data = resolved_results[queries[0]]
304
- answers = dns_data.get("answers", [])
305
- return answers[0] if answers else value # Return first answer or original value
306
- elif len(queries) > 1:
307
- # Multiple queries: return array of first answers
308
- first_answers = []
309
- for query in queries:
310
- if query in resolved_results:
311
- dns_data = resolved_results[query]
312
- answers = dns_data.get("answers", [])
313
- if answers:
314
- first_answers.append(answers[0])
315
- return first_answers if first_answers else value
316
- else:
317
- # No results: return original value
318
- return value
297
+ # For enrichment mutators, return the original value (not the DNS answer)
298
+ # This ensures the original field (e.g., destination.ip) is NOT overwritten
299
+ # The enrichment data (domain, dns) is already stored via append_to_result above
300
+ #
301
+ # IMPORTANT: We return the original value to prevent schema violations.
302
+ # For example, if destination.ip is typed as 'ip' in OpenSearch,
303
+ # returning a hostname like '170-114-14-33.zoom.us' would cause indexing errors.
304
+ #
305
+ # If the caller needs the resolved DNS name for comparison, they should
306
+ # access it via the domain field (e.g., destination.domain contains 'google')
307
+ return value
319
308
 
320
309
  def _format_dns_ecs( # noqa: C901
321
310
  self, query_value: str, records: List[Dict[str, Any]], query_types: List[str]