Consider adding TargetImageProtected flag to ProcessAccess events

[qjerome]

https://blog.menasec.net/2022/04/auditing-protected-lsass-runasppl.html

RunAsPPL seems to apply only to LSASS, a more reliable approach would be to use Windows API -> try to use: https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessinformation