LSA Credential Guard #191
Description
Working on collecting LSA audit and operational events on Windows OS by using AMA and SysMon. I show several LSA control HKEY in configuration but how do I know if both LSA and Credential Guard events are being collected via SysMon? I'm feeding this data set to SIEM for further processing but after querying logs I can't find anything related to LSA. We have LSA in audit mode at the moment. TiA