Forum Discussion

mathurin68's avatar
mathurin68
Brass Contributor
Sep 13, 2021

Sysmon worth using in addition to Defender ATP?

I'm trying to get opinions if sysmon is worth using alongside Defender ATP?  The logs would be going into Splunk, if that helps, but just in general.  

 

(Disclaimer:  I have asked this in a couple blue team slack chats as well).  

  • GuyThreep's avatar
    GuyThreep
    Copper Contributor
    We do exactly this. There's certainly going to be significant overlap, but having a configuration that is able to be tuned to your needs (Sysmon) is incredibly useful. We've been doing testing of different attacker techniques and there are things you can log via Sysmon that won't show up in the ATP timeline (eg named pipes). And aside from that there's always the advantage of being able to access the data from a common interface with your other logs when sending to your SIEM.
    • mathurin68's avatar
      mathurin68
      Brass Contributor
      Hey Simon, thanks for the response but I don't understand.
      • SteBeSec's avatar
        SteBeSec
        Iron Contributor

        Hi,

        I think this highly depends on your needs. I had some discussions with researchers and the conclusion was that Defender ATP (MDE) detects a lot of things that Sysmon does, but Sysmon can get even a bit more data and you are more flexible in distributing this data to your siem.

        It highly depends on your needs and your environment.

Resources