I have been using the Agent Configuration to collect specific Windows EventIDs as in the example below which works fine. In this example, the agent is collecting AppLocker events with ID of 8004.
According to Event Fields and Operators , you should be able to use "Text" in an expression, but have not been successful so far.
But I am trying to filter further, by collecting events that contain specific text such as "powershell". I have tried expressions such as the following ones in Whitelist filter expression but no sucess:
Text == \b(\w*powershell\w*)\b (regex expression)
or
Text="powershell"
Any ideas on what the proper syntax should be?
Thank you
Note: Obviously, I can filter after all events are collected, but wanted to see if I could avoid needlessly ingesting events that are of no value.