Hello,
I've enabled AppLocker on Windows and I want to exclude some false positive based on a field named data.win.ruleAndFileData.filePath
when it contains strings like "%OSDRIVE%\USERS\SAM_ACCOUNT_NAME\APPDATA\LOCAL\TEMP\SOME_FIGURE\GETPATHS.CMD".
I tried to filter with simple_query_string, but it does not work:
{
"query": {
"simple_query_string" : {
"query": "APPDATA GETPATHS.CMD",
"fields": ["data.win.ruleAndFileData.filePath"],
"default_operator": "and"
}
}
}