Inconsistent events search result for file.name:*.exe when adding user_name filter
user_name:user and file.name:filename.exe returns 3 events for the last 60 days,
file.name:filename.exe returns 157 events for the same time period
Search syntax for endpoints and search syntax for events within the ATP database are slightly different.
The correct query for getting the expected result with wildcard character in Database search would be:
user_name:name AND (file.name:/.*exe/ OR process.file.name:/.*exe/)
For more details on writing Endpoint search queries, please see
For more details on writing Database search queries, please see