Exclude _PSSCRIPTPOLICYTEST_xxxxx.ps1 in fullfilepath in AppLocker events from forwarding to WEC

[divadiow]

is it possible to exclude the AppLocker test events, that Windows generates loads of, from being forwarded to our Windows event collector? Our sysmonconf file is the Swift sysmon.xml

the event XML has this information in the "filepath" and "fullfilepath" sections. eg

<FilePath>%OSDRIVE%\USERS\user123\APPDATA\LOCAL\TEMP__PSSCRIPTPOLICYTEST_ND0JBN3F.CWB.PS1</FilePath>