Forum Discussion
mathurin68
Sep 13, 2021Brass Contributor
Sysmon worth using in addition to Defender ATP?
I'm trying to get opinions if sysmon is worth using alongside Defender ATP? The logs would be going into Splunk, if that helps, but just in general.
(Disclaimer: I have asked this in a couple blue team slack chats as well).
- GuyThreepCopper ContributorWe do exactly this. There's certainly going to be significant overlap, but having a configuration that is able to be tuned to your needs (Sysmon) is incredibly useful. We've been doing testing of different attacker techniques and there are things you can log via Sysmon that won't show up in the ATP timeline (eg named pipes). And aside from that there's always the advantage of being able to access the data from a common interface with your other logs when sending to your SIEM.
- simon_poortmanCopper ContributorActive to defender
- mathurin68Brass ContributorHey Simon, thanks for the response but I don't understand.
- SteBeSecIron Contributor
Hi,
I think this highly depends on your needs. I had some discussions with researchers and the conclusion was that Defender ATP (MDE) detects a lot of things that Sysmon does, but Sysmon can get even a bit more data and you are more flexible in distributing this data to your siem.
It highly depends on your needs and your environment.