From c506b628a17d1c5f1471278c614e33203be0a169 Mon Sep 17 00:00:00 2001
From: Fplyth0ner <30000539+Fplyth0ner-Combie@users.noreply.github.com>
Date: Mon, 9 Feb 2026 23:25:31 +0800
Subject: [PATCH] Update functions.py

Use fnmatch to improve the wildcard string handling methods.
---
 eql/functions.py | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/eql/functions.py b/eql/functions.py
index 7191064..39625c9 100644
--- a/eql/functions.py
+++ b/eql/functions.py
@@ -1,5 +1,6 @@
 """EQL functions."""
 import re
+import fnmatch
 
 from .errors import EqlError
 from .signatures import SignatureMixin
@@ -555,18 +556,9 @@ class Wildcard(FunctionSignature):
     def to_regex(cls, *wildcards):
         """Convert a list of wildcards to a regular expression."""
         expressions = []
-        head = "^"
-        tail = "$"
 
         for wildcard in wildcards:
-            pieces = [re.escape(p) for p in fold_case(wildcard).split('*')]
-            regex = head + '.*?'.join(pieces) + tail
-
-            tail_skip = '.*?$'
-
-            if regex.endswith(tail_skip):
-                regex = regex[:-len(tail_skip)]
-            expressions.append(regex)
+            expressions.append(fnmatch.translate(wildcard))
 
         return "|".join(expressions)