You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Fixed issue #13 where '*' character was being escaped incorrectly CommandLine strings
Fixed issue #14 where Sigma schema wildcards ('*', '?') in the middle of a string would create nonsense queries
Since KQL does not use wildcards, anytime a wildcard value is seen inside a string (not at the beginning or end) from the Sigma Rule, we now split it by the wildcard and use a contains for each substring.
Example: a CommandLine field with a value of advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any will be converted to (ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any")