Communication between the FSSO Collector Agent and the DC Agent (via the 'lsass.exe' process) may be blocked by Microsoft Defender Exploit Guard. To identify such blocked events and the associated process names, review the Windows Defender logs in Event Viewer by navigating to Event Viewer -> Applications and Services logs -> Microsoft -> Windows -> Windows Defender -> Operational. Check for the events blocked by Microsoft Defender Exploit Guard and the associated Process Name.

In the example above, Microsoft Defender Exploit Guard is blocking communication between the FSSO Collector Agent and the DC Agent (lsass.exe).

In the case of FSSO, it is critical that the DC Agent (via the lsass.exe process) can communicate with the FSSO Collector Agent. Blocking this communication disconnects the DC Agent from the Collector Agent, which can prevent FSSO from functioning as expected (e.g. blocking login events from being sent to the Collector Agent).

To address this issue, configure the Attack Surface Reduction policy (specifically Attack Surface Reduction Only Exclusions) for C:\Windows\System32\lsass.exe and C:\Windows\System32\svchost.exe.

For more information, refer to Microsoft's documentation for Microsoft Defender: Enable attack surface reduction rules - Microsoft Defender for Endpoint | Microsoft Learn.