Powershell Defender Disable Scan Feature

Action1: actionname = "Process started" AND (COMMANDLINE contains "Add-MpPreference ,Set-MpPreference " AND COMMANDLINE contains "DisableArchiveScanning ,DisableRealtimeMonitoring ,DisableIOAVProtection ,DisableBehaviorMonitoring ,DisableBlockAtFirstSeen ,DisableCatchupFullScan ,DisableCatchupQuickScan " AND COMMANDLINE contains "$true, 1 ") OR ((COMMANDLINE contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy,Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg,kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" OR COMMANDLINE contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy,Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg,EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" OR COMMANDLINE contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy,Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg,kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" OR COMMANDLINE contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy,Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg,EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" OR COMMANDLINE contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g,Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI,kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" OR COMMANDLINE contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g,Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI,EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" OR COMMANDLINE contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi,Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g,kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" OR COMMANDLINE contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi,Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g,EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" OR COMMANDLINE contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g,Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI,kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" OR COMMANDLINE contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g,Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI,EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" OR COMMANDLINE contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI,Rpc2FibGVpb2F2cHJvdGVjdGlvbi,kaXNhYmxlaW9hdnByb3RlY3Rpb24g" OR COMMANDLINE contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI,Rpc2FibGVJT0FWUHJvdGVjdGlvbi,EaXNhYmxlSU9BVlByb3RlY3Rpb24g" OR COMMANDLINE contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy,Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg,kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" OR COMMANDLINE contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy,Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg,EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI") OR (COMMANDLINE contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA,QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA,EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA,RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA,QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA,EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA,RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA,QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA,EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA,RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA,QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA,EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA,ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA,QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" OR COMMANDLINE contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA,ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA,QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA,kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA,ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA,QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA,kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA,ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA,QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA,kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA,RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA,RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA,RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME