[Bug] Suspicious wmi library load

[mSALDANHAf]

Describe the bug
When opening the game Dead by Daylight from EpicGames this rule prevents the game from opening.
Allowlist is not working correctly in Suspicious WMI Library Load rule.

Is this an EasyAnticheat allowlist problem or EpicGames?
File:
behavior/rules/windows/execution_suspicious_wmi_library_load.toml

To Reproduce
Steps to reproduce the behavior:
(Having the Endpoint Protection Enabled, namely "Malicious behavior protections")

1. Go to 'EpicGames launcher'
2. Open the game 'Dead by Daylight'
3. Wait

Expected behavior
The game was supposed to open.

Desktop

• OS: Windows
• Version: 10

Additional context

  "_index": ".ds-logs-elastic_agent.endpoint_security-default-2025.08.13-000010",
  "_id": "unCWzZgBfD3A5ogctxEv",
  "_version": 1,
  "_source": {
    "process": {
      "pid": 5936,
      "thread": {
        "id": 15660
      }
    },
    "agent": {
      "name": "DESKTOP-9",
      "id": "daeb419c-56e0-44a7-9414-a016b0144b10",
      "type": "endpoint",
      "ephemeral_id": "f027c59a-157d-422e-a93f-8568beb9e027",
      "version": "8.18.3"
    },
    "log": {
      "file": {
        "path": "C:\\Program Files\\Elastic\\Endpoint\\state\\log\\endpoint-000000.log",
        "vol": "3942048959",
        "idxlo": "569875",
        "idxhi": "2293760"
      },
      "offset": 23670929,
      "level": "info",
      "origin": {
        "file": {
          "line": 1372,
          "name": "RulesEngine.cpp"
        }
      },
      "source": "endpoint-default"
    },
    "elastic_agent": {
      "id": "daeb419c-56e0-44a7-9414-a016b0144b10",
      "version": "8.18.3",
      "snapshot": false
    },
    "message": "RulesEngine.cpp:1372   name:       Suspicious WMI Library Load",
    "input": {
      "type": "filestream"
    },
    "component": {
      "binary": "endpoint-security",
      "id": "endpoint-default",
      "type": "endpoint",
      "dataset": "elastic_agent.endpoint_security"
    },
    "@timestamp": "2025-08-21T16:48:20.846Z",
    "ecs": {
      "version": "8.10.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "elastic_agent.endpoint_security"
    },
    "host": {
      "hostname": "DESKTOP-9",
      "os": {
        "build": "19045.5737",
        "kernel": "10.0.19041.5737 (WinBuild.160101.0800)",
        "name": "Windows 10 Enterprise",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
      ],
      "name": "desktop-9",
      "id": "3cc83249-9733-4815-aa47-463014dc9b3a",
      "mac": [
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2025-08-21T17:04:23Z",
      "dataset": "elastic_agent.endpoint_security"
    }
  }
}

[Samirbous]

Hi @mSALDANHAf you can add an endpoint exception https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions#endpoint-rule-exceptions :

rule.id is "3cd302aa-098b-4da6-bf20-8d37efe5f861"
process.executable is <copy the game process executable>