parlevjo , as written, the first ?= positive lookahead assertion will match zero or more characters followed by the literal string "autodiscover" (without quotes) anywhere in the string (line if you use ^ and $), and separately, the second ?= positive lookahead assertion will match zero or more characters followed by the literal string "powershell' (without quotes) anywhere in the string (line if you use ^ and $). If both assertions are true (both "autodiscover" and "powershell" exist anywhere in the string/line being searched), then the pattern will match.
Therefore, each of the following match:
a=autodiscover xxx b=powershell
b=powershell a=autodiscover
autodiscoverpowershell
powershellautodiscoverI too had to clarify this in a few edits to my post.
Since we're going to define the start and end of the line (searching by line for performance), and with the assertion that the line must contain both the words "powershell" and "autodiscover," we must finally allow the whole line itself to match with .* (zero or more characters). Since we don't care about the contents of the line, only that a match was found, the enclosing (?: ) instructs the parser to disregard the contents (a non-capturing group). .* by itself would also work.
^(?=.*autodiscover)(?=.*powershell)(?:.*)$Basically translates to, "does this line contain both the words autodiscover and powershell?"
I know I'm getting in the weeds, but even the early hunting queries provided by GTSC don't account for the URL/REQUEST_URI/{UrlDecode:{REQUEST_URI}} all being wholly contained within a single line in a log file, causing the query to take quite a long time.