you have it right, if you want to build an exception rule to whitelist only when the process.exe_path CONTAINS Nagios AND the process.cmd_line CONTAINS nc64.exe your first example that should do the trick.
One thing thats always worth checking when building your exception rule is the Detection Rule logic itself. I believe the Alert you are referring to is Suspicious Process - Netcat
which has the following logic
This says if the process.name is either netcat.exe, nc.exe or ncat.exe (IIN means within the provided array, with case insensitivity applied).
So it’s worth verifying that your exception rule doesn’t negate this logic entirely, otherwise you would effectively be disabling the alert with an exception rule, but thats not the case with your approach.
If you opt to use the IS operator when building an exception rule the key value pair must be an exact match, and that may not be desirable in this case.
On a final note we added since my last post which you may also find comes in handy, is the auto suggestion option to unescape characters if you so happen to copy the contexts directly from the Investigation Evidence page. You will see this prompt remove the escape characters if you happen to do so.
We also have some further additions planned to bring the evidence payload right within the exception rule builder itself. Coming soon!