Hello,
I'm running Elasticsearch, Kibana, and Winlogbeat (all of which are version 8.0.1) on a Windows 10 desktop.
When I query for event.code:4104 using the "Discovery" tab, one of the available fields is powershell.file.script_block_text.
Yet, when I attempt to make the same query while building a visualization (using the same index and timeline), this specific field is not available. I also attempted to use the original/pre-processor field name (winlog.event_data.ScriptBlockText), but the result is the same.
Can anyone help in what direction I should take to address this issue?