(State:Stopped OR "Sysmon\ config\ state\ changed") (-State:Started)