(EventID:11 OR EventID:12) (ProcessPath:\\MpCmdRun.exe OR ProcessPath:\\NisSrv.exe)