Trailing backslashes escape wildcards added by modifiers

[thomaspatzke]

From the community Discord:

When converting a Sigma rule to the EQL using the elastic backend and the ecs_windows pipeline, strings ending with a backslash immediately followed by a wildcard (due to the contains modifier) are not correctly escaped in the final query.

Example of incorrect output for a rule matching on the path \Desktop\:
The backend would generate:
... like~ ("*\\Desktop\*")
(Note: The \ before the final * is not escaped)

Expected correct output for the same rule:
The query should have a double backslash before the final wildcard to represent a literal escaped backslash:
... like~ ("*\\Desktop\\*")
(Note: The \ before the final * is now escaped as \\)

[david-syk]

I just wanted to confirm that i'm seeing this issue too; feel free to reach out if any additional details or testing is needed.

[thomaspatzke]

Adding further tests to pySigma, possibly the issue is located there.

[thomaspatzke]

It's a pySigma issue, moving it over to the right project.

[thomaspatzke]

@david-syk can you test it with pySigma from branch issue-431?

[david-syk]

@thomaspatzke
Sorry - but I'm unable to test this right now.
Perhaps someone else might be able to test it additionally so it can be released instead of waiting for me.