https://github.com/elastic/integrations/blob/a74f0bf780d1d4a39986bca9bf2f1de1ba04e4ec/packages/windows/data_stream/windows_defender/elasticsearch/ingest_pipeline/default.yml#L160-L164
The above needs to be updated. There are events (specifically event ID 1121 related to Exploit Guard) that instead of having an _ prefixing the path, have just the path with no prefix. IE: Path: C:\\Windows\\System32\\svchost.exe
https://github.com/elastic/integrations/blob/a74f0bf780d1d4a39986bca9bf2f1de1ba04e4ec/packages/windows/data_stream/windows_defender/elasticsearch/ingest_pipeline/default.yml#L160-L164
The above needs to be updated. There are events (specifically event ID 1121 related to Exploit Guard) that instead of having an _ prefixing the path, have just the path with no prefix. IE:
Path: C:\\Windows\\System32\\svchost.exe