Wondering if it also works with C:\\SomePath* or ?:\\SomePath\SomeOtherPath* on for example process.working_directory
I'll try testing this asap, see also Wildcard filter on a Windows path - #3 by willemdh
Imho it would be nice to see this working in filters too though, as those are used in Elastic SIEM?