If one of the events occurs, it executes a cmd file to inform me by mail about the event. To filter out the particular event, I use wevtutil to retrieve the last occurrence of the event with this query:<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID >= 1005 and EventID <= 1015) or (EventID >= 1116 and EventID <= 1119) or EventID=1127 or EventID=2001 or EventID=2003 or EventID=2006 or EventID=2012 or EventID=3002 or EventID=5001 or EventID=5008 or EventID=5010 or EventID=5012 or EventID=5013)]]</Select>
</Query>
</QueryList>
If I execute this on the command line, it only lists the most recent event. But when executed from TaskScheduler, instead of listing only the most recent one, it lists ALL events? I can't figure out why....wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /count:1 /rd:true /format:text /q:"*[System[((EventID>=1005 and EventID<=1012) or EventID=1014 or EventID=1015 or (EventID>=1116 and EventID<=1119) or EventID=1127 or EventID=2001 or EventID=2003 or EventID=2006 or EventID=2012 or EventID=3002 or EventID=5001 or EventID=5008 or EventID=5010 or EventID=5012)]]"
As a work-around, I added a filter for time, so the query now looks like this:
This should only list events of the last 5 minutes.wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /count:1 /rd:true /format:text /q:"*[System[((EventID>=1005 and EventID<=1012) or EventID=1014 or EventID=1015 or (EventID>=1116 and EventID<=1119) or EventID=1127 or EventID=2001 or EventID=2003 or EventID=2006 or EventID=2012 or EventID=3002 or EventID=5001 or EventID=5008 or EventID=5010 or EventID=5012) and TimeCreated[timediff(@SystemTime) <= 300000]]]"
But I still don't know why I have to use this time filter since I already specified (/count:1) to list the most recent event only?