From 7451bfd7685d346cf7bcb036a6051b8f5d1fbbcf Mon Sep 17 00:00:00 2001
From: Alex-Kidston <113187177+Alex-Kidston@users.noreply.github.com>
Date: Fri, 19 Jan 2024 15:06:38 +0000
Subject: [PATCH] change START / STOP regex to include <= year 2000 (#1640)

---
 .../qradar/stix_translation/query_constructor.py                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stix_shifter_modules/qradar/stix_translation/query_constructor.py b/stix_shifter_modules/qradar/stix_translation/query_constructor.py
index a3561dd22..3ba880019 100644
--- a/stix_shifter_modules/qradar/stix_translation/query_constructor.py
+++ b/stix_shifter_modules/qradar/stix_translation/query_constructor.py
@@ -18,7 +18,7 @@
 
 FILTERING_DATA_TYPES = {"x-qradar:INOFFENSE": "INOFFENSE"}
 
-START_STOP_STIX_QUALIFIER = r"START((t'\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d+)?Z')|(\s\d{13}\s))STOP"
+START_STOP_STIX_QUALIFIER = r"START((t'\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d+)?Z')|(\s\d{12,}\s))STOP"
 TIMESTAMP = r"^'\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d+)?Z'$"
 TIMESTAMP_MILLISECONDS = r"\.\d+Z$"