A simple Custom XPath Data Source Collection is not working

Can someone please help me with the following

I read the following document https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent

I am following the information on this document but the XPATH filter is not working

If I use the 'basic' for Security > Audit Success, then the information from the Windows Server Security Event log I want 'does appear' in Log Analytics using the following query

Event
| where EventLog == 'Security'
| where Source == 'Microsoft-Windows-Security-Auditing'
| where EventID == '4870'
| project TimeGenerated,EventID,RenderedDescription,Source,EventLevelName,ParameterXml,EventData

However when I use a Custom XPath Query under Add Data Source as follows

I paste the following onto the XPath windows

*[System[EventID=4870]]

However Azure always adds !* to the end so the Xpath query, so the saved Xpath ends up as follows

*[System[EventID=4870]]!*

I have also tried the XPath

Security!*[System[EventID=4870]]

I leave this for about an hour, then I regenerate further event 4870 in the Security event log (basically revoking certificates in a test CA)

These 4870 events appear on the Server in the security event log as expected. However there are 'not' being sent to Log Analytics and more (as they were with the initial basic filter).

I cannot see what is wrong as I followed the document, can you kindly

1) Tell me why the Azure Portal automatically adds !* to the end of my XPath query

2) What is the reason why the data is not longer appearing (being collected) and shown in Log Analytics when using the custom XPath above (when setting us the Data Source and using Custom)

Please advise,
Thanks
Charlie