
You're designing a security detection pipeline for Windows endpoint activity and need to decide which telemetry is worth collecting first. The goal is to capture the signals that best support reliable detection of credential dumping while keeping the pipeline practical to operate.
What telemetry sources are most critical when building a detection pipeline to identify credential dumping on Windows endpoints?