Hi, we have recently enabled auditing of PowerShell via Module and Scriptblock logging. We’ve had some events come into our SIEM based on suspicious keywords but I’m having trouble identifying what is the source of these scripts. I’ve looked through event IDs 4104 and 800 but can’t find the source of the script. I know what computer it’s coming from and user account but nothing else.
Anything I’m missing or any help to determine what specifically is running these scripts? Thanks!