Exclude with pattern matching on a field

scrouet · May 4, 2022, 12:38pm

Hello,

I've enabled AppLocker on Windows and I want to exclude some false positive based on a field named data.win.ruleAndFileData.filePath when it contains strings like "%OSDRIVE%\USERS\SAM_ACCOUNT_NAME\APPDATA\LOCAL\TEMP\SOME_FIGURE\GETPATHS.CMD".
I tried to filter with simple_query_string, but it does not work:

{
  "query": {
    "simple_query_string" : {
        "query": "APPDATA GETPATHS.CMD",
        "fields": ["data.win.ruleAndFileData.filePath"],
        "default_operator": "and"
    }
  }
}

system · June 1, 2022, 12:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.