Added test for placeholders in fields with string replacements

pySigma issue 284

tests/test_processing_pipelines.py

@@ -2,6 +2,8 @@
 from sigma.exceptions import SigmaTransformationError
 from sigma.backends.test import TextQueryTestBackend
 from sigma.processing.resolver import ProcessingPipelineResolver
+from sigma.processing.pipeline import ProcessingPipeline, ProcessingItem
+from sigma.processing.transformations import ValueListPlaceholderTransformation
 from sigma.pipelines.crowdstrike import (
     crowdstrike_fdr_pipeline,
     crowdstrike_falcon_pipeline,
@@ -481,6 +483,27 @@ def test_crowdstrike_falcon_pipeline_process_creation(
         == "event_platform=/^Win$/i #event_simpleName=/^ProcessRollup2$/i or #event_simpleName=/^SyntheticProcessRollup2$/i CommandLine=/^test\\.exe foo bar$/i ImageFileName=/\\\\test\\.exe$/i"
     )
 
+def test_crowdstrike_falcon_image_with_placeholder(resolver : ProcessingPipelineResolver):
+    sigma_rule = SigmaCollection.from_yaml("""
+        title: Image with Placeholder Test
+        status: test
+        logsource:
+            category: process_creation
+            product: windows
+        detection:
+            sel:
+                Image|expand: "%var%"
+            condition: sel
+    """)
+    pipeline = resolver.resolve_pipeline("crowdstrike_falcon") + ProcessingPipeline(
+        items=[
+            ProcessingItem(transformation=ValueListPlaceholderTransformation())
+        ],
+        vars={"var": ["foo.exe", "bar.exe", "test.exe"]},
+    )
+    backend = LogScaleBackend(pipeline)
+    assert backend.convert(sigma_rule) == "event_platform=/^Win$/i #event_simpleName=/^ProcessRollup2$/i or #event_simpleName=/^SyntheticProcessRollup2$/i ImageFileName=/^foo\\.exe$/i or ImageFileName=/^bar\\.exe$/i or ImageFileName=/^test\\.exe$/i"
+
 
 def test_crowdstrike_falcon_pipeline_parentimage(
     resolver: ProcessingPipelineResolver, process_creation_sigma_rule_parentimage