So I have a little query im using to detect powershell being run. To keep it from being noisy, I have some regex to ignore certain powershell files and some other things. It works PERFECTLY in Kibana when i test it, but does not do the same filtering job in Elastalert, and I get flooded with the alerts that should be filtered out.
Any ideas why this works great in ES but not in Elastalert?
GET _search
{
"query": {
"query_string": {
"query": "((file_name.keyword:(C\\:\\Windows\\Temp\\* OR C\\:\\Temp\\*OR *\\Client\\* OR C\\:\\PerfLogs\\* OR *\\Users\\Public\\* OR C\\:\\Users\\Default\\* OR *.ps1 OR *.vbs OR *.bat OR *.chm OR *.xml OR *.txt OR *.jsp OR *.jspx OR *.asp OR *.aspx OR *.php OR *.war)) AND NOT ((file_name.keyword:(/.*windows.temp.[a-z0-9_]+\\.[a-z0-9]{3}\\.ps1/ OR /.*users[a-z0-9\\]+temp.[a-z0-9]+\\.[a-z0-9]{3}\\.ps1/))))"
}
}
}