Adding strip function to remove leading and trailing whitespace from …

docs/query-guide/functions.rst

@@ -165,6 +165,13 @@ math, string manipulation or more sophisticated expressions to be expressed.
 
     Returns true if ``b`` is a substring of ``a``
 
+.. function:: strip(s[, leading, trailing])
+
+    :param: s: The string that will be stripped
+    :param: leading: strip whitespace from the beginning of ``s``. Default is ``True``.
+    :param: trailing: strip whitespace from the end of ``s``. Default is ``True``.
+
+    Returns a string with whitespace removed from the beginning and end of input string ``s``.
 .. function:: substring(source [, start, end])
 
     Extracts a substring between from another string between ``start`` and ``end``.

eql/etc/test_data.json

@@ -2076,5 +2076,28 @@
     "unique_pid": 99999,
     "user_domain": "vagrant",
     "user_name": "vagrant"
+  },
+  {
+    "authentication_id": 854482244,
+    "command_line": " C:\\Windows\\system32\\net  group administrators \"findme2\" ",
+    "event_subtype_full": "creation_event",
+    "event_type": "process",
+    "event_type_full": "process_event",
+    "md5": "3b6928bc39e5530cead1e99269e7b1ee",
+    "opcode": 1,
+    "original_file_name": "net1.exe",
+    "parent_process_name": "net.exe",
+    "parent_process_path": "C:\\Windows\\System32\\net.exe",
+    "pid": 1392,
+    "ppid": 3608,
+    "process_name": "net1.exe",
+    "process_path": "C:\\Windows\\System32\\net1.exe",
+    "serial_event_id": 75306,
+    "subtype": "create",
+    "timestamp": 131605904083806370,
+    "unique_pid": 813840,
+    "unique_ppid": 750058,
+    "user_domain": "vagrant",
+    "user_name": "vagrant"
   }
 ]

eql/etc/test_queries.toml

@@ -18,6 +18,32 @@ expected_event_ids = []
 expected_event_ids = []
 query = 'process where missing_field != null'
 
+[[queries]]
+expected_event_ids = [3, 78, 80]
+query = 'process where strip(process_name) == "smss.exe"'
+
+[[queries]]
+expected_event_ids = [3, 78, 80]
+query = 'process where lstrip(process_name) == "smss.exe"'
+
+[[queries]]
+expected_event_ids = [3, 78, 80]
+query = 'process where rstrip(process_name) == "smss.exe"'
+
+[[queries]]
+expected_event_ids = [75306]
+query = 'process where rstrip(command_line) == " C:\\Windows\\system32\\net  group administrators \"findme2\""'
+
+[[queries]]
+expected_event_ids = [75306]
+query = 'process where strip(command_line) == "C:\\Windows\\system32\\net  group administrators \"findme2\""'
+
+[[queries]]
+expected_event_ids = [75306]
+query = 'process where lstrip(command_line) == "C:\\Windows\\system32\\net  group administrators \"findme2\" "'
+
+
+
 [[queries]]
 expected_event_ids  = [1, 2, 3, 4, 5]
 query = 'process where bad_field == null | head 5'
@@ -882,15 +908,15 @@ query = '''
 process where process_name == original_file_name
 | filter process_name='net*.exe'
 '''
-expected_event_ids  = [97, 98]
+expected_event_ids  = [97, 98, 75306]
 note = "check that case insensitive comparisons are performed for fields."
 
 [[queries]]
 query = '''
 process where original_file_name == process_name
 | filter length(original_file_name) > 0
 '''
-expected_event_ids  = [97, 98, 75273, 75303]
+expected_event_ids  = [97, 98, 75273, 75303, 75306]
 description = "check that case insensitive comparisons are performed for fields."
 
 [[queries]]
@@ -1295,4 +1321,4 @@ process where length(between(process_name, 'g', 'e')) > 0
 expected_event_ids = []
 query = '''
 process where length(between(process_name, 'g', 'z')) > 0
-'''
+'''

eql/functions.py

@@ -440,6 +440,26 @@ def run(cls, array):
         return 0
 
 
+@register
+class LeftStrip(FunctionSignature):
+    """Strip leading whitespace from a string."""
+
+    name = "lstrip"
+    argument_types = [STRING]
+    return_value = STRING
+    minimum_args = 1
+
+    @classmethod
+    def run(cls, source):
+        """Strip whitespace from source."""
+        if not is_string(source):
+            return None
+
+        stripped = source.lstrip()
+
+        return stripped
+
+
 @register
 class Match(FunctionSignature):
     """Perform regular expression matching on a string."""
@@ -518,6 +538,26 @@ def run(cls, x, y):
             return x * y
 
 
+@register
+class RightStrip(FunctionSignature):
+    """Strip trailing whitespace from a string."""
+
+    name = "rstrip"
+    argument_types = [STRING]
+    return_value = STRING
+    minimum_args = 1
+
+    @classmethod
+    def run(cls, source):
+        """Strip whitespace from source."""
+        if not is_string(source):
+            return None
+
+        stripped = source.rstrip()
+
+        return stripped
+
+
 @register
 class Safe(FunctionSignature):
     """Evaluate an expression and suppress exceptions."""
@@ -558,6 +598,26 @@ def run(cls, source, substring):
         return False
 
 
+@register
+class Strip(FunctionSignature):
+    """Strip leading & trailing whitespace from a string."""
+
+    name = "strip"
+    argument_types = [STRING]
+    return_value = STRING
+    minimum_args = 1
+
+    @classmethod
+    def run(cls, source):
+        """Strip whitespace from source."""
+        if not is_string(source):
+            return None
+
+        stripped = source.strip()
+
+        return stripped
+
+
 @register
 class Substring(FunctionSignature):
     """Extract a substring."""