Hi,
I have been discussing this with the IT Security Team, please see their responses as below
1 - I’ve looked and see no events on the lem when we clear the event log
2 - We are not sure what you mean..
3 -
4 - So we need to look at the registry and not the log files?
5 - We can’t rely on the AV tell us that it’s been disabled. We can’t see those service stopped events reaching the LEM
It very much looks like this is not the SIEM we are looking for and may have to look elsewhere.