joshnck
commented
2 months ago I'm also okay with this being closed as a non-issue because c:\ should always be used with |startswith. Just something I noticed while doing some tuning.
Closed joshnck closed 1 month ago
joshnck
commented
2 months ago I'm also okay with this being closed as a non-issue because c:\ should always be used with |startswith. Just something I noticed while doing some tuning.
moullos
commented
1 month ago Hi @joshnck
This ended up highlighting some possible improvements to the backend so I ended up fixing it.
Thank you!
https://github.com/SigmaHQ/pySigma-backend-crowdstrike/blob/1d673eabf9aeffa0ca826e01b6ce79d0451e9f72/sigma/pipelines/crowdstrike/crowdstrike.py#L443
I think this can be fixed with
(^[C-Z]:)|(\*[C-Z]:)but I have not validated it yet.