Wildcard filter on a Windows path

Hello,

I'm trying to create a wildcard filter that filters on paths starting with c:\git*

But:

{
  "query": {
    "wildcard": {
      "process.working_directory": {
        "value": "c:\\git\\*"
      }
    }
  }
}

is not working. And escaping the ':', as suggested in Wildcard query with a file path - Search for c:\users\public* results in:

image

How should I handle this?

Grtz

Willem

I don't think the colon needs to be escaped in the query DSL value. It needs to be escaped in the linked topic because : is part of the Lucene query parser syntax which separates a target field from the search term.

When you say "is not working", does

  • the query DSL not return the expected results?
  • an error occur in Elasticsearch?

Thanks for your answer @forloop

When I use the following in a Kibana KQL query:

process.working_directory : C:\\WINDOWS\\*

It does not work, but when I escape the colon:

process.working_directory : C\:\\WINDOWS\\*

I'm getting the expected results. But in Elastic detections I cannot work with a query and I need to exclude with a filter based on a combination of process.name and process.working_directory.

But when I use a filter with a wildcard query, I never seem to get the expected results.

image
image
image

All of the above does not filter on c:\WINDOWS\*

So how should I format a wildcard filter containing backslashes, so I can use it in a Kibana filter?

Willem

(autoclose-prevention)