From 993eb4a6a62e09ece79debd31e223ec7c2276c7e Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Thu, 18 May 2023 13:22:50 -0400
Subject: [PATCH] [8.8] [BUG] Re-add note about escaping special characters
 (backport #3302) (#3303)

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
---
 docs/detections/add-exceptions.asciidoc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc
index cdbe2fa39e..4539c7e222 100644
--- a/docs/detections/add-exceptions.asciidoc
+++ b/docs/detections/add-exceptions.asciidoc
@@ -82,7 +82,9 @@ Fields with conflicts are marked with a warning icon (image:images/field-warning
 * Wildcards are not supported in value lists.
 * If a value list can't be used due to <<manage-value-lists,size or data type>>, it'll be unavailable in the *Value* menu.
 =======
-    * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard].
+    * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\\path\\*\\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard].
++
+NOTE: Some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider.
 +
 IMPORTANT: Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.