// run against results from Windows.Persistence.PermanentWMIEvents
// https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml

SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source()
// filter common FPs
WHERE ConsumerName != "BVTConsumer"
AND ConsumerName != "SCM Event Log Consumer"
AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer"
AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer"
AND ConsumerName != "CmdLineConsumer_WSCEAA"
// end filter common FPs
GROUP BY ConsumerName, CommandLineTemplate, FilterName, FilterQuery // stack
LIMIT 50