Add support for eql-wildcard and kql-match_only_text (elastic#1583)

* Add support for eql-wildcard and kql-match_only_text
* bump kql version
* lookup elasticsearch type family prior to getting type hint
Co-authored-by: David French <[email protected]>

Author: brokensound77

detection_rules/ecs.py

@@ -175,9 +175,10 @@ class KqlSchema2Eql(eql.Schema):
         "keyword": eql.types.TypeHint.String,
         "ip": eql.types.TypeHint.String,
         "float": eql.types.TypeHint.Numeric,
-        "double": eql.types.TypeHint.Numeric,
-        "long": eql.types.TypeHint.Numeric,
-        "short": eql.types.TypeHint.Numeric,
+        # "double": eql.types.TypeHint.Numeric,
+        # "long": eql.types.TypeHint.Numeric,
+        # "short": eql.types.TypeHint.Numeric,
+        "integer": eql.types.TypeHint.Numeric,
         "boolean": eql.types.TypeHint.Boolean,
     }
 
@@ -191,9 +192,12 @@ def validate_event_type(self, event_type):
         return True
 
     def get_event_type_hint(self, event_type, path):
+        from kql.parser import elasticsearch_type_family
+
         dotted = ".".join(path)
         elasticsearch_type = self.kql_schema.get(dotted)
-        eql_hint = self.type_mapping.get(elasticsearch_type)
+        es_type_family = elasticsearch_type_family(elasticsearch_type)
+        eql_hint = self.type_mapping.get(es_type_family)
 
         if eql_hint is not None:
             return eql_hint, None

kql/__init__.py

@@ -13,7 +13,7 @@
 from .kql2eql import KqlToEQL
 from .parser import lark_parse, KqlParser
 
-__version__ = '0.1.5'
+__version__ = '0.1.6'
 __all__ = (
     "ast",
     "from_eql",

kql/parser.py

@@ -58,6 +58,7 @@ def elasticsearch_type_family(mapping_type: str) -> str:
         # text search types
         "annotated-text": "text",
         "completion": "text",
+        "match_only_text": "text",
         "search-as_you_type": "text",
 
         # keyword