From c3ac2c2b0d5dff69a68b48eab76bea979fa93c1d Mon Sep 17 00:00:00 2001
From: David Barroso <dbarroso@countercraft.eu>
Date: Tue, 20 Oct 2020 10:32:29 +0200
Subject: [PATCH] Include more flexible PythonEngine configuration variables

---
 eql/engine.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/eql/engine.py b/eql/engine.py
index f317fed..560abe4 100644
--- a/eql/engine.py
+++ b/eql/engine.py
@@ -51,15 +51,15 @@ def __init__(self, config=None):
         self.host_key = self.get_config('host_key', 'hostname')
         self.pid_key = self.get_config('pid_key', 'pid')
         self.ppid_key = self.get_config('ppid_key', 'ppid')
+        self.process_type = self.get_config('process_type', 'process')
+        self.process_subtype = self.get_config('process_subtype', 'subtype')
+        self.create_values = self.get_config('create_values', ["create", "fork"])
+        self.terminate_values = self.get_config('terminate_values', ["terminate"])
 
         if self.get_config('data_source') == 'endgame':
             self.process_subtype = "opcode"
             self.create_values = (1, 3, 9)
             self.terminate_values = (2, 4)
-        else:
-            self.process_subtype = "subtype"
-            self.create_values = ["create", "fork"]
-            self.terminate_values = ["terminate"]
 
         self._scoped = []
 
@@ -766,7 +766,7 @@ def _get_descendant_of(self, node):  # type: (EventQuery) -> callable
         creates = self.create_values
         terminates = self.terminate_values
 
-        @self.event_callback("process")
+        @self.event_callback(self.process_type)
         def update_descendants(event):  # type: (Event) -> None
             ppid = event.data.get(self.ppid_key)
             pid = event.data.get(self.pid_key)
@@ -813,7 +813,7 @@ def _get_child_of(self, node):  # type: (EventQuery) -> callable
         creates = self.create_values
         terminates = self.terminate_values
 
-        @self.event_callback("process")
+        @self.event_callback(self.process_type)
         def update_children(event):  # type: (Event) -> None
             ppid = event.data.get(self.ppid_key)
             pid = event.data.get(self.pid_key)
@@ -859,7 +859,7 @@ def _get_event_of(self, node):  # type: (EventQuery) -> callable
         creates = self.create_values
         terminates = self.terminate_values
 
-        @self.event_callback("process")
+        @self.event_callback(self.process_type)
         def purge_on_terminate(event):  # type: (Event) -> None
             pid = event.data.get(self.pid_key)
             subtype = event.data.get(process_subtype)