To use 'regexp' syntax, you must use a / (slash) at the beginning and end of the regexp.

To wildcard text at the beginning and ending of the line, add a ".*"  (dot asterisk) to the beginning and end of the 'Actor Command Line'.

Example: Stop recording "ETW 8015 Activity" events from a trusted script.

Description:  the EDR is recording excessive "ETW 8015 Activity" events due to a trusted CSCRIPT command that inventories user information.  Hence, the objective is create a recorder rule that stops recording the specifically the trusted program without eliminating recording of malicious CSCRIPT programs.

Fill out the form as follows (See image):

1) Selected option to stop recording trusted Events

2)  Select only the 8015 - ETW Event

3)  Enter full path of the cscript actor

4)  "event_actor.cmd_line" field in Event Log Details

5)            /.*C:\\Program Files \(x86\)\\Test\\Run_[0-9][0-9][0-9]\\Info.vbs.*/

6)  Comment details:

/ (slash) at front/end to start PCRE regexp matching engine
.* (dot asterisk) at front/end to accept any character before/after
\ (backslashes), parentheses () must be escaped with backslash
[0-9] single character position numeric match