index="windows" sourcetype=WinRegistry key_path="HKLM\\software\\microsoft\\powershell\\1\\shellids\\microsoft.powershell\\executionpolicy"
| table _time, host, registry_type, registry_value_data, registry_value_name
| rename host as Host, registry_type as Action, registry_value_data as "Registry Value", registry_value_name as "Registry Value Name"