Forum Discussion
non-MS AV Product
It sounds like you would like to know which events (= event IDs) are being sent to Defender XDR in passive mode so you can leverage them via Advanced Hunting. As far as I know, there is currently no list that Microsoft published that shows that kind of information.
There is an interesting blog series by Olaf Hartong (https://medium.com/falconforce/mdeinternals/home) about MDE and telemetry. In short, not all events are logged locally and not all events are being sent from the device to the portal. Data in Advanced Hunting is also not the same as the data in the device's timeline.
It might be a better solution to use AMA to push the events that you want to Sentinel. Using MDE in passive mode might also cause performance issues, and you probably receive a ton of redundant data that you might already receive through your third-party AV solution (or is it an EDR solution?).
It sounds like you would like to know which events (= event IDs) are being sent to Defender XDR in passive mode so you can leverage them via Advanced Hunting. As far as I know, there is currently no list that Microsoft published that shows that kind of information.
There is an interesting blog series by Olaf Hartong (https://medium.com/falconforce/mdeinternals/home) about MDE and telemetry. In short, not all events are logged locally and not all events are being sent from the device to the portal. Data in Advanced Hunting is also not the same as the data in the device's timeline.
It might be a better solution to use AMA to push the events that you want to Sentinel. Using MDE in passive mode might also cause performance issues, and you probably receive a ton of redundant data that you might already receive through your third-party AV solution (or is it an EDR solution?).
- Exactly the same thoughts around all these topics. Thank you for links. I'm looking to get more with single source instead of having to duplicate the technologies. EDR non-MS will be primary but logging event ids is desired as we are searching for specific event ids along with SysMon events.