From 86f7bfc1ca8e93542cdb49b7ed9d476e52307cdd Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Mon, 14 Oct 2024 00:31:26 +0200
Subject: [PATCH] Configured ReplaceStringTransformation appropriately

Reconfigured the `ReplaceStringTransformation`s to ignore special characters and to interpret special characters in replacements as required to fix issue #17
---
 sigma/pipelines/crowdstrike/crowdstrike.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sigma/pipelines/crowdstrike/crowdstrike.py b/sigma/pipelines/crowdstrike/crowdstrike.py
index 2ee8c47..429d6be 100644
--- a/sigma/pipelines/crowdstrike/crowdstrike.py
+++ b/sigma/pipelines/crowdstrike/crowdstrike.py
@@ -440,7 +440,7 @@ def common_processing_items():
         ProcessingItem(
             identifier="cql_imagefilename_replace_disk_name",
             transformation=ReplaceStringTransformation(
-                regex="[C-Z]:", replacement="\\\\Device\\\\HarddiskVolume?"
+                regex="[C-Z]:", replacement="\\\\Device\\\\HarddiskVolume?", skip_special=True, interpret_special=True
             ),
             field_name_conditions=[
                 IncludeFieldCondition(fields=["ImageFileName"]),
@@ -450,7 +450,7 @@ def common_processing_items():
         ),
         ProcessingItem(
             identifier="cql_imagefilename_replace_disk_name",
-            transformation=ReplaceStringTransformation(regex=":", replacement=""),
+            transformation=ReplaceStringTransformation(regex=":", replacement="", skip_special=True),
             field_name_conditions=[
                 IncludeFieldCondition(fields=["ImageFileName"]),
                 IncludeFieldCondition(fields=["TargetImageFileName"]),