(CommandLine:Select* CommandLine:Win32_NTLogEvent*) OR ((Image:\\wevtutil.exe OR OriginalFileName:wevtutil.exe) (CommandLine:\ qe\ * OR CommandLine:\ query\-events\ *)) OR ((Image:\\wmic.exe OR OriginalFileName:wmic.exe) CommandLine:\ ntevent*) OR (CommandLine:Get\-WinEvent\ * OR CommandLine:get\-eventlog\ *)