diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md
index 6ffadcb..06776e2 100644
--- a/Forensics/Windows Event Logs.md	
+++ b/Forensics/Windows Event Logs.md	
@@ -61,6 +61,10 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
 * **4702**: Scheduled task updated
 * **4699**: Scheduled task deletion
 
+* **106** Task registered
+* **100** Task started
+* **129** Created Task Process
+
 ### System
 
 * **7045**: Service installation
@@ -69,5 +73,25 @@ Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
 
 * **1100**: Logging service disabled
 * **1102**: Log deletion
-* **1116**: Malware detection
+* **1116**: Windows Defender Malware detection
+* **1117**: Windows Defender Malware quarantined
 * **4697**: Service installation (subsection of **7045**)
+* **5001**: Windows Defender disabled
+* **5007**: Windows Defender configuration changed
+
+### Powershell
+
+Applications and Services Logs -> Windows Powershell and Apps and Services Logs
+-> Microsoft -> Windows -> Powershell -> Operational
+
+* **600**: Opening Powershell
+* **4104**: Powershell command executed
+
+## RDP
+
+Applications and Services Logs -> Microsoft -> Windows ->
+TerminalServices-LocalSessionManager -> Operational
+
+* **21**: RDP Connect
+* **24**: RDP Disconnect
+* **25**: RDP Reconnect