Hoping to revive an old thread... I'm trying to do something very similar, except in my case using the Windows Defender/Operational log. I got it working using the above format, but am trying to extract ONLY the "Scan Type" field of the message. Is that possible? (I thought I could do this by trying to select the fourth line of the message field as below, but this doesn't work...)

$Query = "<QueryList>
  <Query Id='0' Path='Microsoft-Windows-Windows Defender/Operational'>
    <Select Path='Microsoft-Windows-Windows Defender/Operational'>*[System[(EventID=1000 or EventID=1001)]]</Select>
  </Query>
</QueryList>"
Get-WinEvent -FilterXML $Query | Select-Object -Property TimeCreated, Id, @{N='Detailed Message'; E={$_.Message}} | Sort-Object -Property TimeCreated | Select "(Detailed Message)[.3]"