Using ",loose" at the end of a Trigger Query for a Detection

Can someone help direct me into how to be able to keep the “,loose” option at the end of the trigger query for creating a custom alert on something? It shows it when looking at the list of the custom alerts but whenever you open the specific alert it has the loose removed.

I attached two images to help show what I am talking about. Thanks!


I don’t have a method for “,loose”, nor have I tried to use it in custom alerts.
Though, you can do the equivalent that in regex. A bit more work, but then you have more control:

where(!=/.*Teams.exe.*/i AND /.*\\\\Microsoft\\\\Teams\\\\Local Storage.*/i)

1 Like

Thank you! That was exactly what I was looking for. I am still learning how regex works so this was very helpful. Do you have any good regex learning tips or reading material for it?

A decent explainer is in InsightOps docs:

Regex can be overwhelming, but just start small. A cursory search for a tutorial found this:

You will find tons of content on Youtube.

Also, look for recipes for common tasks (finding phone number, SSN, credit card, etc) and try to dissect what is already done to learn how to use the various features.