Regex Escaping for EQL

[WildDogOne]

According to the Elastic documentation since backslash () is also the escaping character for json it needs to be escaped itself. For example if a Sigma rule is "username|re: '$'" is would have to translate to regex~ "\$" Or at least that is my understanding of how it should work.

Imho this could mean it would be possible to just do a character replace around here: https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/bb0c64c47a544411060999d677f1a1047de241b4/sigma/backends/elasticsearch/elasticsearch_eql.py#L98

re_expression: ClassVar[str] = '{field} regex~ "{regex.replace("\","\\")}"'