Listing 1: Finding the Programs Executed on a System

logparser "select TimeGenerated, 
  RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,3,'|'),'{}%','')) 
  as User, EXTRACT_TOKEN(Strings,1,'|') 
  as Program from security where eventid=592"