Hello Elastic Community,
I’m working on creating rule exclusions in Kibana using the MATCHES operator. While reviewing the official documentation, I found this explanation:
---Add and manage exceptions | Elastic Security Solution [8.15] | Elastic
MATCHES | DOES NOT MATCH — Allows the use of wildcards in the Value field, such as C:\path\*\app.exe. Available wildcards are ? (matches one character) and * (matches zero or more characters). The selected field data type must be keyword, text, or wildcard.
Note:
Some characters must be escaped with a backslash, such as \ for a literal backslash, * for an asterisk, and ? for a question mark. Windows paths must be divided with double backslashes (for example, C:\Windows\explorer.exe), and paths that already include double backslashes might require four backslashes for each divider.
I understand that backslashes, asterisks, and question marks need to be escaped, but I’d like to confirm the complete list of characters that require escaping when using the MATCHES operator. Could someone provide more clarity or point me to the specific part of the documentation that outlines all such characters?
Thanks in advance for the help!