The auditbeat reference documentation and common sense would imply that doing something like
- module: file_integrity
include_files: [ '(?i).dll$', '(?i).exe$' ]
would monitor ONLY .dll and .exe files in the system32 directory. Yet this config monitors all the files in system32. It is not limiting it to just dll and exe's. Is this how this was designed? Why can't elastic provide some useful, real-world examples in https://www.elastic.co/guide/en/beats/auditbeat/master/auditbeat-module-file_integrity.html? 5 or 6 common examples, such as what I am trying to do, would make their products 100x clearer.