I’ve just found some error messages in my logs caused by a (automatically translated) sigma rule which contains the following search string, showing an error message:
(ParentImage:/c\:\\windows\\temp\\/) AND (Image:/c\:\\windows\\temp\\helper\\.*/)
This is however correct syntax and should also be correct Graylog syntax. The following works without any issues:
(ParentImage:/c\:\\windows\\temp/) AND (Image:/c\:\\windows\\temp\\helper\\.*/) (notice the missing \\ at the end of the first regex string).
I understand that it would be way more efficient not to use regex here but I was interested in what causes this issue. Any ideas?