From 55369141c4d33f839f19aa3b22595ac15af38807 Mon Sep 17 00:00:00 2001
From: Panos Moullotos <25383165+moullos@users.noreply.github.com>
Date: Tue, 24 Sep 2024 18:02:20 +0300
Subject: [PATCH 1/2] Escape curly brackets

---
 sigma/backends/crowdstrike/logscale.py | 2 +-
 tests/test_backend_logscale.py         | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sigma/backends/crowdstrike/logscale.py b/sigma/backends/crowdstrike/logscale.py
index 53a7b17..129aeeb 100644
--- a/sigma/backends/crowdstrike/logscale.py
+++ b/sigma/backends/crowdstrike/logscale.py
@@ -124,7 +124,7 @@ class LogScaleBackend(TextQueryBackend):
     escape_char_re: ClassVar[str] = "\\"
     wildcard_multi_re: ClassVar[str] = ".*"
     wildcard_single_re: ClassVar[str] = "."
-    add_escaped_re: ClassVar[str] = "*$^.|?()[]+/"
+    add_escaped_re: ClassVar[str] = "*$^.|?()[]+/{}"
     filter_chars_re: ClassVar[str] = ""
     bool_values_re: ClassVar[Dict[bool, str]] = {
         True: "true",
diff --git a/tests/test_backend_logscale.py b/tests/test_backend_logscale.py
index 40eae25..044b09c 100644
--- a/tests/test_backend_logscale.py
+++ b/tests/test_backend_logscale.py
@@ -43,12 +43,12 @@ def test_crowdstrikelogscale_special_chars(logscale_backend: LogScaleBackend):
                 product: test_product
             detection:
                 sel:
-                    fieldA: valueA*$^.|?()[]+/
+                    fieldA: valueA*$^.|?()[]+/{}
                 condition: sel
         """
             )
         )
-        == ["fieldA=/^valueA.*\\$\\^\\.\\|.\\(\\)\\[\\]\\+\\/$/i"]
+        == ["fieldA=/^valueA.*\\$\\^\\.\\|.\\(\\)\\[\\]\\+\\/\\{\\}$/i"]
     )
 
 

From 98a63c2aa4380da224b03058fde5d3ad0f1e07f5 Mon Sep 17 00:00:00 2001
From: Panos Moullotos <25383165+moullos@users.noreply.github.com>
Date: Sat, 5 Oct 2024 13:54:33 +0300
Subject: [PATCH 2/2] Removing allowed backends

Allowed backends led to some issues with sigma-cli
---
 sigma/pipelines/crowdstrike/crowdstrike.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sigma/pipelines/crowdstrike/crowdstrike.py b/sigma/pipelines/crowdstrike/crowdstrike.py
index 2fb63d3..2ee8c47 100644
--- a/sigma/pipelines/crowdstrike/crowdstrike.py
+++ b/sigma/pipelines/crowdstrike/crowdstrike.py
@@ -550,7 +550,6 @@ def crowdstrike_fdr_pipeline() -> ProcessingPipeline:
 def crowdstrike_falcon_pipeline() -> ProcessingPipeline:
     return ProcessingPipeline(
         name="CrowdStrike Falcon Pipeline",
-        allowed_backends={"logscale"},
         priority=10,
         items=[
             # Process Creation