diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 7e91eb360..a3034b7c5 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -135,6 +135,7 @@ fieldmappings:
   Product: winlog.event_data.Product
   Properties: winlog.event_data.Properties
   RuleName: winlog.event_data.RuleName
+  ScriptBlockText: powershell.file.script_block_text
   SecurityID: winlog.event_data.SecurityID
   ServiceFileName: winlog.event_data.ServiceFileName
   ServiceName: winlog.event_data.ServiceName
diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml
index 34fef1fdd..789d5f2b8 100644
--- a/tools/config/winlogbeat-old.yml
+++ b/tools/config/winlogbeat-old.yml
@@ -119,6 +119,7 @@ fieldmappings:
   ProcessName: event_data.ProcessName
   Product: event_data.Product
   Properties: event_data.Properties
+  ScriptBlockText: winlog.event_data.ScriptBlockText
   SecurityID: event_data.SecurityID
   ServiceFileName: event_data.ServiceFileName
   ServiceName: event_data.ServiceName
diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml
index 9bb3c5559..1b1f4bdea 100644
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@@ -125,6 +125,7 @@ fieldmappings:
   Properties: winlog.event_data.Properties
   RuleName: winlog.event_data.RuleName
   SAMAccountName: winlog.event_data.SamAccountName
+  ScriptBlockText: winlog.event_data.ScriptBlockText
   SecurityID: winlog.event_data.SecurityID
   ServiceFileName: winlog.event_data.ServiceFileName
   ServiceName: winlog.event_data.ServiceName