Exclude with pattern matching on a field

scrouet · May 4, 2022, 12:38pm

Hello,

I've enabled AppLocker on Windows and I want to exclude some false positive based on a field named data.win.ruleAndFileData.filePath when it contains strings like "%OSDRIVE%\USERS\SAM_ACCOUNT_NAME\APPDATA\LOCAL\TEMP\SOME_FIGURE\GETPATHS.CMD".
I tried to filter with simple_query_string, but it does not work:

{
  "query": {
    "simple_query_string" : {
        "query": "APPDATA GETPATHS.CMD",
        "fields": ["data.win.ruleAndFileData.filePath"],
        "default_operator": "and"
    }
  }
}

system · June 1, 2022, 12:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with my Query :) Kibana	3	124	February 29, 2024
Filtering in Kibana Kibana	14	31066	February 28, 2017
Query Help search for $ Kibana	7	1442	July 6, 2017
Elastic Query for Windows user accounts, excluding computer accounts Logs elastic-stack-machine-learning , elastic-stack-alerting	2	785	April 29, 2022
Is it possible to search or exclude something like a string "{}"? Kibana	11	12913	July 6, 2017

Exclude with pattern matching on a field

Related topics