SIGMA rule translation -> lucene query replaces spaces " " with "_ws_" which lucene doesnt understand.

[tallyoh]

What is the bug? A sigma rules with a whitespace gets incorrectly translated to a search query with "ws" instead of a whitespace.

How can one reproduce the bug? detection: condition: (selection and selection_evt) and not filter_main_known_locations filter_main_known_locations: process.executable|contains:

• C:\Program Files (x86)\Windows Defender\
• C:\Program Files\Microsoft Security Client\
• C:\Program Files\Windows Defender\
• C:\ProgramData\Microsoft\Windows Defender\Platform\
• C:\Windows\WinSxS\ selection: process.name:
• MpCmdRun.exe
• NisSrv.exe selection_evt: event.code: 1 event.module: sysmon

Results in: (((process.name: "MpCmdRun.exe") OR (process.name: "NisSrv.exe")) AND ((event.code: 1) AND (event.module: "sysmon"))) AND ((((NOT process.executable: C\:\Program_ws_Filesws(x86)\Windows_ws_Defender\* AND exists: process.executable) AND (NOT process.executable: C\:\Program_ws_Files\Microsoft_ws_Security_ws_Client\ AND exists: process.executable) AND (NOT process.executable: C\:\Program_ws_Files\Windows_ws_Defender\ AND exists: process.executable) AND (NOT process.executable: C\:\ProgramData\Microsoft\Windows_ws_Defender\Platform\ AND exists: process.executable) AND (NOT process.executable: C\:\Windows\WinSxS\* AND exists: process.executable))))

What is the expected behavior? A whitespace should work properly in a sigma rule that is translated to a lucene query

What is your host/environment? OS 2.13

Do you have any additional context? Looking in github, I can see where the "ws" is being set. Not sure why. https://github.com/search?q=repo%3Aopensearch-project%2Fsecurity-analytics%20%20_ws_&type=code

[tallyoh]

Just wondering if there has been any movement on this and if a fix is coming in 2.15. Thanks!

[ELKHostmaster]

@sbcd90 - good afternoon. Do you have any suggestion how I could get some attention to this bug? I wish I were a developer, but I'm unable to contribute a fix myself. I welcome any suggestions. Thank you.

[ELKHostmaster]

@praveensameneni Hi Praveen, this bug has been opened for a long time. Do you have any suggestion how I can get some attention to it? I'm not a developer, but can I buy someone a pizza?

[sbcd90]

hi @ELKHostmaster , will work on it for next release.

[ELKHostmaster]

@sbcd90 Awesome! thank you very much.

[givilleneuve]

Hi everyone,

Just seeing out there if someone found an alternative for now?

Thank you,

[ELKHostmaster]

Sadly no. Been waiting since May for a fix. I wish I could bribe someone with a pizza and beer for some fixes. Unfortunately, I'm not a developer so, just patiently waiting.