From 8026e07d30356bfe8b7729082e302af314712279 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Thu, 16 Feb 2023 08:40:04 +0100
Subject: [PATCH] Relaxed ParentImage restriction: file name suffix patterns

---
 sigma/pipelines/crowdstrike/crowdstrike.py    |  2 +-
 .../test_processing_pipelines_crowdstrike.py  | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/sigma/pipelines/crowdstrike/crowdstrike.py b/sigma/pipelines/crowdstrike/crowdstrike.py
index b12c923..b19f8f3 100644
--- a/sigma/pipelines/crowdstrike/crowdstrike.py
+++ b/sigma/pipelines/crowdstrike/crowdstrike.py
@@ -137,7 +137,7 @@ def crowdstrike_fdr_pipeline():
                 detection_item_conditions=[
                     MatchStringCondition(
                         cond="any",
-                        pattern="^\\*\\\\[^\\\\]+$",
+                        pattern="^\\*\\\\?[^\\\\]+$",
                         negate=True,
                     )
                 ]
diff --git a/tests/test_processing_pipelines_crowdstrike.py b/tests/test_processing_pipelines_crowdstrike.py
index ccb76c3..f4adff2 100644
--- a/tests/test_processing_pipelines_crowdstrike.py
+++ b/tests/test_processing_pipelines_crowdstrike.py
@@ -41,6 +41,21 @@ def process_creation_sigma_rule_parentimage():
             condition: sel
     """)
 
+@pytest.fixture
+def process_creation_sigma_rule_parentimage_without_slash():
+    return SigmaCollection.from_yaml("""
+        title: Process Creation Test
+        status: test
+        logsource:
+            category: process_creation
+            product: windows
+        detection:
+            sel:
+                CommandLine: "test.exe foo bar"
+                ParentImage: "*parent.exe"
+            condition: sel
+    """)
+
 @pytest.fixture
 def process_creation_sigma_rule_parentimage_path():
     return SigmaCollection.from_yaml("""
@@ -110,6 +125,11 @@ def test_crowdstrike_pipeline_parentimage(resolver : ProcessingPipelineResolver,
     backend = TextQueryTestBackend(pipeline)
     assert backend.convert(process_creation_sigma_rule_parentimage) == ["event_simpleName=\"ProcessRollup2\" and CommandLine=\"test.exe foo bar\" and ParentBaseFileName=\"parent.exe\""]
 
+def test_crowdstrike_pipeline_parentimage_without_slash(resolver : ProcessingPipelineResolver, process_creation_sigma_rule_parentimage_without_slash):
+    pipeline = resolver.resolve_pipeline("crowdstrike")
+    backend = TextQueryTestBackend(pipeline)
+    assert backend.convert(process_creation_sigma_rule_parentimage_without_slash) == ["event_simpleName=\"ProcessRollup2\" and CommandLine=\"test.exe foo bar\" and ParentBaseFileName endswith \"parent.exe\""]
+
 def test_crowdstrike_pipeline_parentimage_path(resolver : ProcessingPipelineResolver, process_creation_sigma_rule_parentimage_path):
     pipeline = resolver.resolve_pipeline("crowdstrike")
     backend = TextQueryTestBackend(pipeline)