drop powershell operational evtx csv and registry export · detect module logging disabled or never configured · identify gaps in powershell pipeline logging · surface periods with no module execution records · runs locally
artifacts
drop powershell operational evtx csv · registry export (multi-file)
or click
4103 pipeline gaps · EnableModuleLogging · ModuleNames partial coverage · disable commands in 4104/4688
drop powershell operational evtx csv · registry export