Runtime defense for Windows processes is implemented with a Windows driver. Although most Defender events are sent to the Defender’s log file, driver events are captured in the Windows Event Log. To retrieve Prisma Cloud events from the Windows Events Log, run the following command:

$ Get-EventLog -LogName System -Source Prisma Cloud