So here's the line filtering out a bunch of events:
The result could be something like this:
Code: Select all
wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /count:1 /rd:true /format:text /q:"*[System[((EventID=1005 and EventID=1015) or (EventID= 1116 and EventID= 1119) or EventID=1127 or EventID=2001 or EventID=2003 or EventID=2006 or EventID=2012 or EventID=3002 or EventID=5001 or EventID=5007 or EventID=5008 or EventID=5010 or EventID=5012 or EventID=5013)]]"
Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Event ID: 5001
User Name: NT AUTHORITY\SYSTEM
Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.
I would like to have the Event ID (5001) and description (Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled) added to the mail. Any idea's how to do that?