Merge branch 'main' of https://github.com/SigmaHQ/pySigma-backend-cro…

…wdstrike
SigmaHQ · Oct 13, 2024 · b0b58b0 · b0b58b0
2 parents bdd8048 + c7b60c7
commit b0b58b0
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 4 deletions.
diff --git a/sigma/backends/crowdstrike/logscale.py b/sigma/backends/crowdstrike/logscale.py
@@ -124,7 +124,7 @@ class LogScaleBackend(TextQueryBackend):
     escape_char_re: ClassVar[str] = "\\"
     wildcard_multi_re: ClassVar[str] = ".*"
     wildcard_single_re: ClassVar[str] = "."
-    add_escaped_re: ClassVar[str] = "*$^.|?()[]+/"
+    add_escaped_re: ClassVar[str] = "*$^.|?()[]+/{}"
     filter_chars_re: ClassVar[str] = ""
     bool_values_re: ClassVar[Dict[bool, str]] = {
         True: "true",

diff --git a/sigma/pipelines/crowdstrike/crowdstrike.py b/sigma/pipelines/crowdstrike/crowdstrike.py
@@ -550,7 +550,6 @@ def crowdstrike_fdr_pipeline() -> ProcessingPipeline:
 def crowdstrike_falcon_pipeline() -> ProcessingPipeline:
     return ProcessingPipeline(
         name="CrowdStrike Falcon Pipeline",
-        allowed_backends={"logscale"},
         priority=10,
         items=[
             # Process Creation

diff --git a/tests/test_backend_logscale.py b/tests/test_backend_logscale.py
@@ -43,12 +43,12 @@ def test_crowdstrikelogscale_special_chars(logscale_backend: LogScaleBackend):
                 product: test_product
             detection:
                 sel:
-                    fieldA: valueA*$^.|?()[]+/
+                    fieldA: valueA*$^.|?()[]+/{}
                 condition: sel
         """
             )
         )
-        == ["fieldA=/^valueA.*\\$\\^\\.\\|.\\(\\)\\[\\]\\+\\/$/i"]
+        == ["fieldA=/^valueA.*\\$\\^\\.\\|.\\(\\)\\[\\]\\+\\/\\{\\}$/i"]
     )