According to the Elastic documentation since backslash () is also the escaping character for json it needs to be escaped itself.
For example if a Sigma rule is "username|re: '\$'" is would have to translate to regex~ "\$"
Or at least that is my understanding of how it should work.
According to the Elastic documentation since backslash () is also the escaping character for json it needs to be escaped itself. For example if a Sigma rule is "username|re: '\$'" is would have to translate to regex~ "\$" Or at least that is my understanding of how it should work.
Imho this could mean it would be possible to just do a character replace around here: https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/bb0c64c47a544411060999d677f1a1047de241b4/sigma/backends/elasticsearch/elasticsearch_eql.py#L98