theflakes
commented
7 months ago Don't have a lot of time to test this but it looks like a good solution I missed, thanks. Will merge it shortly.
Closed PiRomant closed 7 months ago
theflakes
commented
7 months ago Don't have a lot of time to test this but it looks like a good solution I missed, thanks. Will merge it shortly.
theflakes
commented
7 months ago Only concern is if it will cause issues with any non-mapped fields, e.g. fields where the "full_log" field name is used to search the entire log.
PiRomant
commented
7 months ago @theflakes, your code is ready for this. It will remove the ^ and $ leaving only the parentheses.
https://github.com/theflakes/sigma_to_wazuh/blob/cc09245cf326590ad455ae357e3347c8b7c797b3/sigma_to_wazuh.py#L181-L190
As you can see in Result diff every name="full_log" is fine.
Close https://github.com/theflakes/sigma_to_wazuh/issues/21 Result diff - https://www.diffchecker.com/ULkKIpud/