select "ObjectName", "Parent Process Name" as 'Parent Process Name (custom)',"Process Name" as 'Process Name (custom)',"Command" as 'Command (custom)' from events where ( (  "Process Name" ilike '%rdclient%' OR "Process Name" ilike '%supporttool.exe%' ) AND "qidEventId"='4688' ) OR ("qidEventId"='4657' AND "ObjectName" ILIKE '%SOFTWARE\RdClient\%') order by "startTime" desc LIMIT 1000 last 30 minutes