Event Type Id:8001-Process Activity AND Process Command Line:/rundll32.exe.*([a-z]{3,5}):\/\/([0-9]{1,3}"."){3}[0-9]{1,3}?\/[a-z]{2,12}\/[A-Za-z0-9]{1,12}\.txt/ 

Within the custom incident rule customization section, there are results with the query being used. The rule doesn't trigger, even though a recent test was run with that specific activity.

In way of explanation, for the rule as previously configured, we used double quotes to match dot like this "." For regex rule, it tries to match the literal string ".", meaning it looks for a dot enclosed in double quotes. 

ES query returning results for the configured rule because it uses Lucene regex and " is a reserved character. Any string enclosed within double quotes will be matched and the enclosing " are ignored. 

Also, . means match any character.  In the rule configured, we used 'rundll32.exe' which is interpreted as 'rundll32[any char]exe'. For a literal match, the character '.' needs to be escaped like this - 'rundll32\.exe'

In the example of this article, this is the correct syntax:

Event Type Id:8001-Process Activity AND  Process Command Line:/rundll32\.exe.*([a-z]{3,5}):\/\/([0-9]{1,3}\.){3}[0-9]{1,3}?\/[a-z]{2,12}\/[A-Za-z0-9]{1,12}.txt/