((EventID:4699 OR EventID:4701) (TaskName:\\Windows\\SystemRestore\\SR* OR TaskName:\\Windows\\Windows\ Defender\\* OR TaskName:\\Windows\\BitLocker* OR TaskName:\\Windows\\WindowsBackup\\* OR TaskName:\\Windows\\WindowsUpdate\\* OR TaskName:\\Windows\\UpdateOrchestrator\\Schedule* OR TaskName:\\Windows\\ExploitGuard*)) (-(EventID:4699 SubjectUserName:$ TaskName:\\Windows\\Windows\ Defender\\*))