Sigma Rule Tuning broken EQL conversion

[SecOps56]

While trying to add a tuning filter to a sigma rule "Driver Load From A Temporary Directory" I am running into an issue where the EQL conversion removed the escape character "\" from the end of the string.

Example:

Sigma Rule:

sofilter:
event_data.file.path:
- "*\\ProgramData\\Microsoft\\Windows\\WER\\Temp\\*"

EQL Conversion:

any where file.path:"*\\Temp\\*" and (not (event_data.file.path like~ ("*\\ProgramData\\Microsoft\\Windows\\WER\\Temp\*")))

Since the final escape is removed, it changes the escape of the escape to an escape of the wildcard. If you test this in Kibana you get an error and if you modify it in Kibana by adding the escape character back in, then it works properly. I tried adding a 3rd escape character in the sigma rule tuning section and received a 400 error when I tried to save.

Unless I am missing something I believe there is a bug in the EQL conversion that is removing my final escape character.

[defensivedepth]

hey there, I moved this to a Discussion until we can confirm it is a bug.

You should not need the double backslashes in the path in the filter.

[SecOps56]

I get an error message when I try to save without the double back slashes, and it does not save. Am I missing something?

[defensivedepth]

What is the error message?

[SecOps56]

"Request failed with status code 400
See the Help section of the Security Onion documentation for additional troubleshooting guidance.
The Hunt interface may contain additional log messages to further diagnose the issue."

[defensivedepth]

Try this:

[SecOps56]

single quote solved the issue. I have a few other lines a part of the filter. I found that if you are using a wild card "*" in the middle of the file name you have to escape the slash before the wild card.

I am trying to add file extensions into this exclusion and it does not actually filter out the data.

Example:
'\Users\\*\AppData\Local\Temp\\*.tmp'

Not sure if this is possible