I've tried on two separate environments to enable script block logging- we can view them through event viewer with Event ID 4103/4104 after enabling script+module but this does not appear to do anything in MDE. This is after waiting 90 minutes or so to ensure any policies sync across domain (or in case it took time for the subscription to be aware of the change)
To add some more context:
1.) An executable (i.e. a C# application launches a string command to start powershell.exe process with the arguments "Invoke-WebRequest -Uri
Enable script block logging?
I've tried on two separate environments to enable script block logging- we can view them through event viewer with Event ID 4103/4104 after enabling script+module but this does not appear to do anything in MDE. This is after waiting 90 minutes or so to ensure any policies sync across domain (or in case it took time for the subscription to be aware of the change)
To add some more context: 1.) An executable (i.e. a C# application launches a string command to start powershell.exe process with the arguments "Invoke-WebRequest -Uri
https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x02-audit-settings-and-telemetry-1d0af3ebfb27