I am trying to filter on the Event Log ID 4624, for events that only contain the string "Elevated Token: No"
I have tried a 'Matches Regular Expression' of (?i)Elevated Token: No but I cannot get the filter to work
How can I set up a pre-processing, where I can get the Logon Type number only when Elevated Token is No?