Thanks for your answer @forloop
When I use the following in a Kibana KQL query:
process.working_directory : C:\\WINDOWS\\*
It does not work, but when I escape the colon:
process.working_directory : C\:\\WINDOWS\\*
I'm getting the expected results. But in Elastic detections I cannot work with a query and I need to exclude with a filter based on a combination of process.name and process.working_directory.
But when I use a filter with a wildcard query, I never seem to get the expected results.
All of the above does not filter on c:\WINDOWS\*
So how should I format a wildcard filter containing backslashes, so I can use it in a Kibana filter?
Willem