Thomas Patzke

> IIRC NewValue (stripping of whitespace) was introduced as it was the main way it was used in SigmaHQ at that point and because we thought white space in field...

[pySigma](https://github.com/SigmaHQ/pySigma) and [Sigma CLI](https://github.com/SigmaHQ/sigma-cli) support [placeholders](https://github.com/SigmaHQ/pySigma/blob/3e14695e9c8d08dff04b231710d8f1cb54577f56/tests/test_processing_transformations.py#L411) already. The legacy sigmac and sigmatools will not have placeholder support anymore,

There's some documentation regarding this topic as well as examples in the pySigma tests. The placeholders syntax is described in [the Sigma specification](https://github.com/SigmaHQ/sigma/wiki/Specification#placeholders). pySigma replaces the placeholders then in the...

> I guess that this could be handled in the new pySigma (CC @thomaspatzke) as soon as someone wrote a backend for MDATP > > I'm not sure if field...

I would implement this as additional value modifiers.

Not yet, sorry.

It wouldn't go into the 0.x tools anymore, it's already implemented in the rewrite which I plan to release a first preview version soon.

It's already implemented in pySigma: https://github.com/SigmaHQ/pySigma#modifier-compare-from-sigmac https://github.com/SigmaHQ/pySigma/blob/d8f408e9ea4bf8b8ba4fc6d15bb628c861757d8f/tests/test_conversion_base.py#L258 In quite the same way you described 😊

You should definitely use pySigma, it is a rewrite of sigmac and has a better structure and test coverage. The final goal is to port backends to pySigma and discontinue...

Yes, there will be a CLI, even a better one 😉 The project structure will be a bit different. PySigma is the library part, backends and cli will be separate...