NOTE: These are escaped to work in the Timelines Correlation editor in Security app (namely Kibana escapes the slashes before sending to EQL) as of 7.14.0
- Search file path using case-insensitive regex.
file where file.path regex~ """C:\\Users\\.*\\APPDATA\\ROAMING\\[A-Za-z0-9_]{96,192}"""