T1204 User Execution

SELECT *
FROM shell_commands
LEFT OUTER JOIN container_events USING(container_id)
WHERE (
    uid = 0 OR uid > 1000
) AND NOT (
    ARRAY_JOIN(program_arguments, ' ') LIKE '%etcdctl%' 
    OR container_name LIKE '%etcd%'
)