Forum Discussion
Azure ATP, Defender ATP + SysMon/Eventlog?
Hi all, I am currently wondering about a project for one of our customers and would be happy to hear about your opinion. We have been monitoring Windows Server with Event log, having them ext...
Good evening.
I have a doubt.
The logs of the tables that Defender can send to Sentinel, as if it were a sysmon, is it possible to collect the logs that the Event Viewer generates?
That is, a Login Event_id 4624, or password lockout, for example, is it possible to collect via Defender / Sysmon or do I still need the Sentinle MMA agent installed to collect these logs?
Sysmon data is also collected through the MMA agent.
So you need the MMA when you want to retrieve events from the Event Viewer
So you need the MMA when you want to retrieve events from the Event Viewer
Se recebo os logs via defender, que são semelhantes aos logs do sysmon, ainda preciso receber os logs do Event Viewer?
That is, a login log (4624), for example, does it come via defender or via symon, or does this log come only via installed MMA agent?
- It really depends. Microsoft doesn't publish what events are ingested through MDE.
You need to check the logs, but I would guess these are in the table 'DeviceLogonEvents'. Have you checked here?