I'm looking for support on my $xmlregex Blacklist. I have checked as many previous tickets as I can and I'm still stuck.

It works when I put the events into regex101 which is why I'm so confused.

This is what I have ended up with:

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
start_from = oldest
renderXml = 1
# 4100 Error Log | 4104 Script Block
whitelist = 4104,4100
blacklist  = $xmlRegex= $\<EventID\>(?:4104|4100)\<\/EventID\>.*\<Data\sName='ScriptBlockText'\>[\S\s]*[C-Z]:\\Program(?:\sFiles|Data)(\s\(x86\))?\\(?:qualys|Nexthink|uniFLOW\sSmartClient)\\$
blacklist1 = $xmlRegex= $\<EventID\>(?:4104|4100)\<\/EventID\>.*\<Data\sName='ScriptBlockText'\>[\S\s]*[C-Z]:\\Windows\\ccm\\$

I've had to use [\S\s]* because the it's a PowerShell script which has carriage returns in.

Any help would be massively appreciated.

Thanks!