How do i monitor if some is trying to break the Sophos tamper?

Scenario - Attacker has made into a system and now wants to kill \stop the AV but is tamper locked. 

From SIEM perspective to Monitor such events 

what logs can be shipped from the Event viewer? or from Sophos log directories? 



Added tags
[edited by: Gladys at 5:58 AM (GMT -7) on 27 Oct 2023]
Parents Reply Children
No Data