Masking

To use the backslash “\” in the SAFL command, it must be escaped with “\”.

Example:

source sysmon_operational
| search command_line="C:\\Windows\\cmd.exe dir /s c:\\ProgramFiles >> files.txt"

Attention!

To search by exact match, the field must be of type keyword. If the field is of the text type, which is used by default when indexing data, then you must explicitly specify the keyword type when searching.

Example:

source sysmon_operational
| search command_line.keyword="C:\\Windows\\cmd.exe dir /s c:\\ProgramFiles >> files.txt"

More information about field types, see here