((CommandLine:Microsoft\-Windows\-PowerShell* OR CommandLine:Microsoft\-Windows\-Security\-Auditing* OR CommandLine:Microsoft\-Windows\-TerminalServices\-LocalSessionManager* OR CommandLine:Microsoft\-Windows\-TerminalServices\-RemoteConnectionManager* OR CommandLine:Microsoft\-Windows\-Windows\ Defender* OR CommandLine:PowerShellCore* OR CommandLine:Security* OR CommandLine:Windows\ PowerShell*) OR (CommandLine:\-InstanceId\ 462** OR CommandLine:.eventid\ \-eq\ 462** OR CommandLine:.ID\ \-eq\ 462** OR CommandLine:EventCode=*462** OR CommandLine:EventIdentifier=*462** OR CommandLine:System\[EventID=462*\]* OR CommandLine:\-InstanceId\ 4778* OR CommandLine:.eventid\ \-eq\ 4778* OR CommandLine:.ID\ \-eq\ 4778* OR CommandLine:EventCode=*4778** OR CommandLine:EventIdentifier=*4778** OR CommandLine:System\[EventID=4778\]* OR CommandLine:\-InstanceId\ 25* OR CommandLine:.eventid\ \-eq\ 25* OR CommandLine:.ID\ \-eq\ 25* OR CommandLine:EventCode=*25** OR CommandLine:EventIdentifier=*25** OR CommandLine:System\[EventID=25\]* OR CommandLine:\-InstanceId\ 1149* OR CommandLine:.eventid\ \-eq\ 1149* OR CommandLine:.ID\ \-eq\ 1149* OR CommandLine:EventCode=*1149** OR CommandLine:EventIdentifier=*1149** OR CommandLine:System\[EventID=1149\]* OR CommandLine:\-InstanceId\ 21* OR CommandLine:.eventid\ \-eq\ 21* OR CommandLine:.ID\ \-eq\ 21* OR CommandLine:EventCode=*21** OR CommandLine:EventIdentifier=*21** OR CommandLine:System\[EventID=21\]* OR CommandLine:\-InstanceId\ 22* OR CommandLine:.eventid\ \-eq\ 22* OR CommandLine:.ID\ \-eq\ 22* OR CommandLine:EventCode=*22** OR CommandLine:EventIdentifier=*22** OR CommandLine:System\[EventID=22\]*)) ((CommandLine:Select* CommandLine:Win32_NTLogEvent*) OR ((Image:\\wevtutil.exe OR OriginalFileName:wevtutil.exe) (CommandLine:\ qe\ * OR CommandLine:\ query\-events\ *)) OR ((Image:\\wmic.exe OR OriginalFileName:wmic.exe) CommandLine:\ ntevent*) OR (CommandLine:Get\-WinEvent\ * OR CommandLine:get\-eventlog\ *))