Hello,
Elastic 7.9.2
Results in:
The working directory values were autocompleted, so this seems weird that this throws an error. When I try to escape the '\' autocomplete does not work.
Grtz
Willem
Hi @willemdh, thanks for posting! This looks like an instance of a known issue: https://github.com/elastic/kibana/issues/82267
There's a fix slated for the 7.11 release if you're in a position to be able to upgrade. The fix can be tracked here: https://github.com/elastic/kibana/pull/85051
As for a workaround, if you're not able to target the same process using another field value that doesn't necessitate quotes (i.e. one that doesn't contain a space), you might try creating a custom rule that incorporates this exception into the rule query.
Hope this helps!
Madi
Hi @madi,
Thanks for posting the GH links, I'll follow up over there. 
In the meantime I'll create a filter for the rule query instead of an exception, like you suggest.
Grtz
Willem
1 Like
Fyi, created the following rule filter:
{
"bool": {
"must": [
{
"terms": {
"process.parent.name": [
"cmd.exe"
]
}
},
{
"terms": {
"process.name": [
"tasklist.exe"
]
}
},
{
"terms": {
"process.working_directory": [
"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Professional\\Common7\\IDE\\",
"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise\\Common7\\IDE\\"
]
}
}
]
}
}
Which seems to do the job. Thanks @madi
1 Like
Great! Glad you got it sorted, @willemdh!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.