feat: add expr optional chaining (field?.filed) supprt

Author: pH-T

sigma/backends/golangexpr/golangexpr.py

@@ -47,9 +47,12 @@ class GolangExprBackend(TextQueryBackend):
     field_quote_pattern_negation : ClassVar[bool] = True            # Negate field_quote_pattern result. Field name is quoted if pattern doesn't matches if set to True (default).
 
     ### Escaping
-    field_escape : None #ClassVar[str] = "\\"               # Character to escape particular parts defined in field_escape_pattern.
+    # CAUTION: the following could be considered as a slightly hacky solution
+    # but since expr does not allow any "special" chars in its field names 
+    # absuing the escaping to add `?` to any `.` (https://expr-lang.org/docs/language-definition#optional-chaining) seems reasonable
+    field_escape : ClassVar[str] = "?"               # Character to escape particular parts defined in field_escape_pattern.
     field_escape_quote : ClassVar[bool] = True        # Escape quote string defined in field_quote
-    field_escape_pattern : ClassVar[Pattern] = re.compile("\\s")   # All matches of this pattern are prepended with the string contained in field_escape.
+    field_escape_pattern : ClassVar[Pattern] = re.compile(r"\.")   # All matches of this pattern are prepended with the string contained in field_escape.
 
     ## Values
     str_quote       : ClassVar[str] = '"'     # string quoting character (added as escaping character)

tests/test_backend_golangexpr.py

@@ -1,6 +1,8 @@
 import pytest
 from sigma.collection import SigmaCollection
 from sigma.backends.golangexpr import GolangExprBackend
+from sigma.pipelines.elasticsearch.windows import ecs_windows
+from sigma.processing.resolver import ProcessingPipelineResolver
 
 @pytest.fixture
 def golangexpr_backend():
@@ -402,6 +404,25 @@ def test_golangexpr_contains_all(golangexpr_backend : GolangExprBackend):
         """)
     ) == ['lower(field) contains lower("value1") and lower(field) contains lower("value2") and (lower(field) contains lower("value1") or lower(field) contains lower("value2"))']
 
+def test_golangexpr_FieldChain():
+    piperesolver = ProcessingPipelineResolver()
+    piperesolver.add_pipeline_class(ecs_windows())  
+    combined_pipeline = piperesolver.resolve(piperesolver.pipelines)
+    assert GolangExprBackend(combined_pipeline).convert(
+        SigmaCollection.from_yaml(r"""
+            title: Test 
+            status: test
+            logsource:
+                product: windows
+                service: security
+            detection:
+                selection:
+                   CommandLine|contains|all:
+                        - '"set'
+                        - '-f'
+                condition: selection
+        """)
+    ) == [r'lower(winlog?.channel) == lower("Security") and lower(process?.command_line) contains lower("\"set") and lower(process?.command_line) contains lower("-f")']
 
 # NOT POSSIBLE IN Expr
 # def test_golangexpr_field_name_with_whitespace(golangexpr_backend : GolangExprBackend):