MoTW

index=main 
| search ComputerName="*" 
| search FileName="*"  
| search event_simpleName=MotwWritten
| table _time, aid, ComputerName, FileName, FilePath, ZoneIdentifier_decimal, HostUrl, ReferrerUrl