@thor I’ve tested the case again using powershell_events table and result OK. osquery_result log file contains the number of events as related event channel contains. in this case, there may be a bug related with the first case? or i’m missing something?