It would be nice, if it is possible to use the |re modifier in a rules YAML - currently it is mot supported by the backend. I thought about how to implement it as in Splunk we have the "regex" and "rex" command. But I guess in Sigma |re is mostly used as a filter, so maybe append it directly as Splunk's "regex" command after the base search, as Splunk's "rex" command is basically field extraction, which is handled in the pipelines.
It would be nice, if it is possible to use the |re modifier in a rules YAML - currently it is mot supported by the backend. I thought about how to implement it as in Splunk we have the "regex" and "rex" command. But I guess in Sigma |re is mostly used as a filter, so maybe append it directly as Splunk's "regex" command after the base search, as Splunk's "rex" command is basically field extraction, which is handled in the pipelines.