Rule filter seems to be picking up on query_string values, not term values

[roman-tasi]

This is my filter:

filter:
- query:
   query_string:
     query: "\"cmd=Auth\""
- query:
    bool:
      must_not:
      - query_string:
          query: "\"relay\""
      - query_string:
          query: "\"relay2\""
      - query_string:
          query: "\"logman\""
      - query_string:
          query: "\"account=zimbra\""
      - query_string:
          query: "\"authentication failed\""
      - query_string:
          query: "\"account lockout\""
      - term:
          geoip.city_name: "PRIVATE IP"
      - term:
          geoip.region_name: "Hawaii"

The filter seems to be working for everything except the last two terms:

      - term:
          geoip.city_name: "PRIVATE IP"
      - term:
          geoip.region_name: "Hawaii"

Meaning it is excluding all the above queries but not the last two terms. Any idea what the fix is?

[jertel]

Perhaps the geoip.region_name field isn't matching the actual field, due to it being an object vs a field name with periods in it. Any time I have an issue like this I use the Kibana interface, with the Inspect panel, to compare how Kibana builds the filter vs how I write in my rule. If it works in Kibana I would replace my rule filter with the Kibana inspection syntax.

[roman-tasi]

This seems to be the fix (it doesn't give the ability to restrict by the specific field but for my use-case it doesn't matter):

filter:
- query:
   query_string:
     query: "\"cmd=Auth\""
- query:
    bool:
      must_not:
      - query_string:
          query: "\"relay\""
      - query_string:
          query: "\"relay2\""
      - query_string:
          query: "\"logman\""
      - query_string:
          query: "\"account=zimbra\""
      - query_string:
          query: "\"authentication failed\""
      - query_string:
          query: "\"account lockout\""
      - query_string:
          query: "\"PRIVATE IP\""
      - query_string:
          query: "\"Hawaii\""

So just putting it in as a query_string