Oh apologies for the misunderstanding. That's not how it really is. I just have that as a placeholder for the real field.

It's like this:

| regex fieldname != 

@richgalloway 

Rule looking up process info in general: 

| tstats `content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="* -ex*" AND Processes.process="* bypass *") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| 'exceptions`
| stats values(dest) count by process, parent_process



Macro (exceptions): 

search process != "blah"
| regex process !="^C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Resolve-DnsName \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b \| Select-Object -Property NameHost$"

Ok. Firstly, it's bad syntax. The syntax (in your case) should be

| regex field!="regex"

while you have

| regex field!="regex" "something else"

And secondly, the regex provided as a string is subject to the normal string escaping rules. So your "\\W" becomes efectively a regex for \W, which means "any non-word character" and so on. You should also escape the backslashes for the actual regex classes. So instead of "\d" you should use "\\d" and so on.

So is there no way to have it match the first and last strings while excluding a certain middle part? Something like:

"[string1, regex to exclude middle part, string2]"

I mean it's pretty clear with the matching string and regex that the point is to match everything but the changing IP. 

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Resolve-DnsName 0.0.0.0 | Select-Object -Property NameHost

---

@Bhart1 wrote:

So is there no way to have it match the first and last strings while excluding a certain middle part? Something like:

"[string1, regex to exclude middle part, string2]"

I mean it's pretty clear with the matching string and regex that the point is to match everything but the changing IP. 

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "Resolve-DnsName 0.0.0.0 | Select-Object -Property NameHost

---

You can do that, and it's done all the time.  However, the regular expression MUST be a single quoted string.  Something like this.

| regex process !="^C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Resolve-DnsName \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b \| Select-Object -Property NameHost$"

I disagree with @PickleRick about the escaping.  I think you have that part right.

@richgalloway I disagree with your disagreeing 😉

| makeresults
| eval s="c:\\windows"
| regex s="c:\\\\windows"

This one returns a result while this one

| makeresults
| eval s="c:\\windows"
| regex s="c:\\windows"

doesn't.

@Bhart1 I'm not sure what you mean by "exclude" here. In any case you just need a single regex to match. If you wan to match anything having parts matching both regexes, you might simply join them with a "match anything" .*. Like

|regex field!="C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe.*Resolve-DnsName \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\| Select-Object -Property NameHost"

Please put the *real* and *complete* macro definition in a code block so we know exactly what we're working with and can test it in our own sandboxes.  Please also include how the macro is used in a query.