et-eventlog -log security | where-object {$_.TimeGenerated -gt (get-date).adddays(-5) -AND $_.EntryType -eq 'SuccessAudit' –AND (($_.EventID -eq "5145" -AND $_.Message -match "\\\\\*\\ADMIN\$|\\\\\*\\C\$|\\\\\*\\IPC\$" -AND $_.Message -match "\%\%4417") -OR ($_.EventID -eq "4674" -AND $_.Message -match "SeTakeOwnershipPrivilege|SeDebugPrivilege|SeTcbPrivilege") -OR ($_.EventID -eq "4688" -AND $_.
