application_exection
  data_type is 'windows:prefetch'

file_downloaded
  data_type is 'chrome:history:file_downloaded'
  timestamp_desc is 'File Downloaded'

login_attempt
  data_type == 'windows:evt:record' and source_name == 'Security' and event_identifier == 538

security_event
  data_type == 'windows:evt:record' and source_name == 'Security'

text_contains
  body contains 'a message'
