I hereby claim:
- I am frcolumba on github.
- I am frcolumba (https://keybase.io/frcolumba) on keybase.
- I have a public key whose fingerprint is 4AD2 CF6A 7109 CAFC FF86 88CA B784 22C5 57C2 19DB
To claim this, I am signing this object:
If you don't have an E5 subscription, run 1709 in your environment, and use OSSEC, you can quickly add the new ASR features | |
to your alerting and reports since you don't have access to the Defender console thingy. | |
The event reference is here: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-all-windows-defender-exploit-guard-events | |
All your need to do is add: | |
<localfile> | |
<location>Microsoft-Windows-Windows Defender/Operational</location> | |
<log_format>eventchannel</log_format> |
I hereby claim:
To claim this, I am signing this object: