Exclude with pattern matching on a field


I've enabled AppLocker on Windows and I want to exclude some false positive based on a field named data.win.ruleAndFileData.filePath when it contains strings like "%OSDRIVE%\USERS\SAM_ACCOUNT_NAME\APPDATA\LOCAL\TEMP\SOME_FIGURE\GETPATHS.CMD".
I tried to filter with simple_query_string, but it does not work:

  "query": {
    "simple_query_string" : {
        "query": "APPDATA GETPATHS.CMD",
        "fields": ["data.win.ruleAndFileData.filePath"],
        "default_operator": "and"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.