Hi Wazuh Community,
I am currently testing process creation whitelisting using a CDB list (key-value format) in Wazuh.
My use case is to whitelist known parent process and child process combinations by storing them in a CDB list. However, I am facing an issue where the process path is not being accepted correctly as the key because it contains / (or full file paths in general). As a result, the CDB lookup does not appear to match as expected.
I would like to understand whether using full process paths as CDB keys is supported, whether there are any restrictions on characters such as /, and if there is a recommended approach for whitelisting parent-child process combinations when the values are full executable paths. If this is not the intended use of CDB lists, I would appreciate any guidance on the recommended best practice for implementing this use case.
If anyone has implemented a similar solution, I would be grateful for any suggestions or examples.
Thank you.