Here is a good pattern approach to take to this sort of question. Perform the action in some session that is audited by PAM, view the keystroke report of the audited session in the Reporting Console, select 'Show audited commands' from the bottom-right options. Now the OS calls will be displayed in the keystroke report. Find the 'Standard Input' that is audited that you'd like to take action on in this case, then create a Command Risk filter that would match that input. So the following command should likely catch this input: *Shut Down Windows*
Setting high risk should show the risk color as red in the keystroke report as well in this case.
This is just for marking Command Risk and taking some automated action against user, such as auto disconnecting their session and/or blocking the user from access in the future. For more details, please feel free to Open a Service Request with us.