Working on collecting LSA audit and operational events on Windows OS by using AMA and SysMon. I show several LSA control HKEY in configuration but how do I know if both LSA and Credential Guard events are being collected via SysMon? I'm feeding this data set to SIEM for further processing but after querying logs I can't find anything related to LSA. We have LSA in audit mode at the moment. TiA
Working on collecting LSA audit and operational events on Windows OS by using AMA and SysMon. I show several LSA control HKEY in configuration but how do I know if both LSA and Credential Guard events are being collected via SysMon? I'm feeding this data set to SIEM for further processing but after querying logs I can't find anything related to LSA. We have LSA in audit mode at the moment. TiA