#####aid_begin
#description: event query - query the windows event system log for 104, 517, 1102
#id: aid2201232238
#processtype: query
#category: eventlog
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  format-bgevent
#  1) get the windows event log event where id 104, 517, 1102
#notes: |-
#  query the windows event system log.
#   o event source: System
#   o schema used: "sysmon.schema"
#   o event dataset: "System"
#   o eventid's: '104, 517, 1102'
#####aid_end
commands:
- Format-BGEvent -Logname System -ID '104,517,1102' -MaxEvents 1000