I found this thread: Kibana automatic activity is flooding audit log
I haven't been able to get any of the combinations in that thread to work for me. I've tried things like:
.*elastic*.*, .*principal=.elastic.,.*, .principal=\[elastic\]., .principal=\\[elastic\\]., .*principal=\[elastic\].*
Any suggestions, or do you see what I'm missing?