Runtime defense for Windows processes is implemented with a Windows driver. Although most Defender events are sent to the Defender’s log file, driver events are captured in the Windows Event Log. To retrieve Twistlock events from the Windows Events Log, run the following command:

$ Get-EventLog -LogName System -Source Twistlock