application_execution
  data_type is 'windows:prefetch:execution'
  data_type is 'windows:lnk:link' and filename contains 'Recent' and (local_path contains '.exe' OR network_path contains '.exe' OR relative_path contains '.exe')
  (data_type is 'windows:registry:mrulist' OR data_type is 'windows:registry:mrulistex') AND entries contains '.exe'
  data_type is 'windows:registry:userassist' AND value_name contains '.exe'
  data_type is 'windows:evtx:record' and strings contains 'user mode service' and strings contains 'demand start'
  data_type is 'fs:stat' and filename contains 'Windows/Tasks/At'
  data_type is 'windows:tasks:job'
  data_type is 'windows:evt:record' and source_name is 'Security' and event_identifier is 592
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Security-Auditing' and event_identifier is 4688
  data_type is 'windows:registry:appcompatcache'

application_install
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Application-Experience' and event_identifier is 903
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Application-Experience' and event_identifier is 904

application_update
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Application-Experience' and event_identifier is 905

application_removal
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Application-Experience' and event_identifier is 907
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Application-Experience' and event_identifier is 908

document_open
  data_type is 'windows:registry:bagmru' OR data_type is 'windows:registry:office_mru' OR data_type is 'windows:registry:office_mru_list'
  (data_type is 'windows:registry:mrulist' OR data_type is 'windows:registry:mrulistex') AND entries not contains '.exe' AND timestamp > 0

login_failed
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Security-Auditing' and event_identifier is 4625

login_attempt
  data_type is 'windows:evt:record' and source_name is 'Security' and event_identifier is 540
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Security-Auditing' and event_identifier is 4624
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-LocalSessionManager' and event_identifier is 21
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-LocalSessionManager' and event_identifier is 1101
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Winlogon' and event_identifier is 7001
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-RemoteConnectionManager' and event_identifier is 1147
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-RemoteConnectionManager' and event_identifier is 1149
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-User Profiles Service' and event_identifier is 2

logoff
  data_type is 'windows:evt:record' and source_name is 'Security' and event_identifier is 538
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Security-Auditing' and event_identifier is 4634
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Winlogon' and event_identifier is 7002
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-LocalSessionManager' and event_identifier is 23
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-LocalSessionManager' and event_identifier is 1103
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-User Profiles Service' and event_identifier is 4

session_disconnection
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-LocalSessionManager' and event_identifier is 24

session_reconnection
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-LocalSessionManager' and event_identifier is 25
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-LocalSessionManager' and event_identifier is 1105

shell_start
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-LocalSessionManager' and event_identifier is 22
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TerminalServices-LocalSessionManager' and event_identifier is 1102

task_schedule
  data_type is 'windows:evt:record' and source_name is 'Security' and event_identifier is 602
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Security-Auditing' and event_identifier is 4698

job_success
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TaskScheduler' and event_identifier is 102

action_success
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-TaskScheduler' and event_identifier is 201

name_resolution_timeout
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-DNS-Client' and event_identifier is 1014

time_change
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Kernel-General' and event_identifier is 1

shutdown
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Kernel-General' and event_identifier is 13

system_start
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Kernel-General' and event_identifier is 13

system_sleep
  data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Kernel-Power' and event_identifier is 42

autorun
  data_type is 'windows:registry:boot_execute' AND (value contains '.exe' OR value contains '.dll')
  data_type is 'windows:registry:boot_verification' AND (image_path contains '.exe' OR image_path contains '.dll')
  data_type is 'windows:registry:run' AND (entries contains '.exe' OR entries contains '.dll')

file_download
  data_type is 'chrome:history:file_downloaded'
  timestamp_desc is 'File Downloaded'

document_print
  data_type is 'olecf:summary_info' AND timestamp_desc contains 'Printed'
