So here's the line filtering out a bunch of events:
Code: Select all
wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /count:1 /rd:true /format:text /q:"*[System[((EventID=1005 and EventID=1015) or (EventID= 1116 and EventID= 1119) or EventID=1127 or EventID=2001 or EventID=2003 or EventID=2006 or EventID=2012 or EventID=3002 or EventID=5001 or EventID=5007 or EventID=5008 or EventID=5010 or EventID=5012 or EventID=5013)]]"
Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 2022-10-12T10:18:34.6960000Z
Event ID: 5001
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: <computername>
Description:
Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.
I would like to have the Event ID (5001) and description (Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled) added to the mail. Any idea's how to do that?