fix(filter): Allow interpolation for fields with underscore

rabbitstack · rabbitstack · commit 0a08b8c672e3 · 2025-04-02T21:27:03.000+02:00
diff --git a/pkg/filter/filter.go b/pkg/filter/filter.go
@@ -350,7 +350,7 @@ func (f *filter) GetSequence() *ql.Sequence { return f.seq }
 // which refers to the event in particular sequence stage. Otherwise, the modifier is
 // a well-known field name prepended with the `%` symbol.
 func InterpolateFields(s string, evts []*kevent.Kevent) string {
-	var fieldsReplRegexp = regexp.MustCompile(`%([1-9]?)\.?([a-z0-9A-Z\[\].]+)`)
+	var fieldsReplRegexp = regexp.MustCompile(`%([1-9]?)\.?([a-z0-9A-Z\[\]._]+)`)
 	matches := fieldsReplRegexp.FindAllStringSubmatch(s, -1)
 	r := s
 	if len(matches) == 0 {
diff --git a/pkg/filter/filter_test.go b/pkg/filter/filter_test.go
@@ -1325,6 +1325,21 @@ func TestInterpolateFields(t *testing.T) {
 				},
 			},
 		},
+		{
+			original:     "Suspicious thread start module %thread.start_address.module",
+			interpolated: "Suspicious thread start module C:\\Windows\\System32\\vault.dll",
+			evts: []*kevent.Kevent{
+				{
+					Type:     ktypes.CreateThread,
+					Category: ktypes.Thread,
+					Name:     "CreateThread",
+					PID:      1023,
+					Kparams: kevent.Kparams{
+						kparams.StartAddressModule: {Name: kparams.StartAddressModule, Type: kparams.UnicodeString, Value: "C:\\Windows\\System32\\vault.dll"},
+					},
+				},
+			},
+		},
 		{
 			original: `Detected an attempt by <code>%1.ps.name</code> process to access
 and read the memory of the <b>Local Security And Authority Subsystem Service</b>
