pySigma Trailing backslashes escape wildcards added by modifiers

From the community Discord:

When converting a Sigma rule to the EQL using the elastic backend and the ecs_windows pipeline, strings ending with a backslash immediately followed by a wildcard (due to the contains modifier) are not correctly escaped in the final query.

Example of incorrect output for a rule matching on the path \Desktop\: The backend would generate: ... like~ ("*\\Desktop\*") (Note: The \ before the final * is not escaped)

Expected correct output for the same rule: The query should have a double backslash before the final wildcard to represent a literal escaped backslash: ... like~ ("*\\Desktop\\*") (Note: The \ before the final * is now escaped as \\)

Dec 09 '25 22:12 thomaspatzke

I just wanted to confirm that i'm seeing this issue too; feel free to reach out if any additional details or testing is needed.

Dec 10 '25 08:12 david-syk

Adding further tests to pySigma, possibly the issue is located there.

Dec 14 '25 21:12 thomaspatzke

It's a pySigma issue, moving it over to the right project.

Dec 14 '25 22:12 thomaspatzke

@david-syk can you test it with pySigma from branch issue-431?

Dec 14 '25 23:12 thomaspatzke

@thomaspatzke Sorry - but I'm unable to test this right now. Perhaps someone else might be able to test it additionally so it can be released instead of waiting for me.

Dec 16 '25 12:12 david-syk

I tried to reproduce the issue myself by implementing tests. From a minimal one to the exact the scenario described in the post and wasn't able to succeed to reproduce it 🙁

Jan 07 '26 23:01 thomaspatzke