This detection rule identifies potentially malicious activity by monitoring process execution events where the command line includes excessive whitespace (long sequences or multiple contiguous spaces). This tactic may be employed by attackers to evade detection mechanisms by obscuring the actual commands being executed. The rule utilizes the ESQL query language to evaluate logs for process execution events marked by specific criteria. The key attributes for triggering this alert include the appearance of whitespace greater than 100 characters in process command lines. Investigative steps are recommended for any triggered alerts, addressing both the specific process and associated activities, such as examining the process tree and related behaviors (network connections, filesystem access, etc.). False positives must be carefully analyzed, allowing security analysts to dismiss alerts lacking significant evidence of malicious activity. Failing to do a thorough investigation can lead to missing genuine threats, hence appropriate incident response procedures are outlined, focusing on containment and analysis of potentially malicious binaries.