This rule is designed to detect specific patterns in command line execution where attackers may use excessive whitespace as a method of evasion against traditional signature-based detections. The focus is on identifying process execution events recorded in logs where the command line contains either lengthy sequences of whitespace characters or multiple occurrences of contiguous whitespace. By highlighting such behaviors, analysts are prompted to investigate potentially malicious command executions, allowing for deeper examination of the processes involved, including their executables and any related activity occurring within the environment. Suggested investigation steps include detailed analysis of command lines, monitoring parent process trees, checking for known malicious behavior, and examining alerts associated with the user/host in recent history. False positives are possible, and alerts should prioritize further examination against the presence of additional suspicious activity. If actionable intelligence is gathered, emergency incident response actions should be conducted to mitigate potential threats. Furthermore, certain prerequisites for rule deployment involve contextual adjustments for proper event ingestion related to non-elastic-agent indices. Overall, this rule helps identify potential attempts to conceal malicious intentions through the manipulation of command line input.