Forum Discussion
csmits
Jun 12, 2020Copper Contributor
Log Collection using a Log Analytics Agent from a Windows Event Collector
Hi, To collect Security events from multiple windows hosts, a Windows Event Collector has been set up in the environment that we want to monitor. Can we forward all events from this collector usi...
Ofer_Shezaf
Microsoft
Jun 15, 2020- Support for WEF is in private preview, to explore it and provide feedback, Join our Private Previews program.
- A new generation of the Log Analtytics agent that will suppport filtering is also expected to start preview in the next few months.
milkmix_
Oct 20, 2020Copper Contributor
Hi Ofer_Shezaf ,
Do you have more news about WEF support ?
I installed LA agent on a WEC server and I can retrieve events from the WEC host itself but adding other sources (ex: ForwardedEvents, custom channels from the subscriptions, ...) from `Log Analytics workspaces > ... > Advanced Settings > Data > Windows Event Logs > Collect events from the following event logs` is not working. Note that ForwardedEvents is suggested in the dropdown from this blade.
Any suggestions ?
Best regards
- Laurent_CardonOct 23, 2020
Microsoft
I'm just discovering this topic and the question may be stupid...
Which use cases are we targeting using WEF collector to push info to Sentinel ? In case we have Windows Defender on the client couldn't we consider this is sufficient to guarantee the endpoint security?
Laurent
- Ofer_ShezafOct 26, 2020
Microsoft
Windows Events and EDR events have overlap but also have a distinct value. How much would naturally be specific to the EDR used. There are two primary areas in which Windows Events add value not found in EDR:
- Windows events are used for logging events by many subsystems. For example, SQL server and printing would both generate Windows events.
- An EDR does not report many security-related windows events. For example, typically, an EDR would not report on local user management activity.
- milkmix_Oct 23, 2020Copper Contributor
Good point, but only works if the customer is using Microsoft EDR or an EDR at all, which is not necessarily the case for all organisations 🙂
So far, most environments I see where an EDR is deployed are still centralizing "native" events in a SIEM. Other components to take into account:
- auditing requirements for some cases
- possibility that the EDR gets bypassed/disabled (in which case you might still detect some actions from the events)
- you might have an EDR on endpoints but not on servers and you want system+services events from those (not everybody runs its workload in Azure yet ;))that being said, I agree with strategies like presented here were only curated data from Windows environments are pushed in Sentinel.