sysmon-config icon indicating copy to clipboard operation
sysmon-config copied to clipboard
verified publisher icon SwiftOnSecurity

LSA Credential Guard

Open piExpr opened this issue 1 year ago • 0 comments

Working on collecting LSA audit and operational events on Windows OS by using AMA and SysMon. I show several LSA control HKEY in configuration but how do I know if both LSA and Credential Guard events are being collected via SysMon? I'm feeding this data set to SIEM for further processing but after querying logs I can't find anything related to LSA. We have LSA in audit mode at the moment. TiA

piExpr avatar Jun 21 '24 19:06 piExpr