Australian ACSC Essential 8 wants us to centrally log macro executions and powershell scripts executions. We are looking to replace Defender for endpoint P2 which gives us the device events table in the Advanced theat hunting schema. If we replace that P2 with Defender for Business and/or hunterss we will lose that data to query.

Anything we can do here to add this to SIEM or EDR?

Thanks.