Forum Discussion
Log Collection using a Log Analytics Agent from a Windows Event Collector
I'm just discovering this topic and the question may be stupid...
Which use cases are we targeting using WEF collector to push info to Sentinel ? In case we have Windows Defender on the client couldn't we consider this is sufficient to guarantee the endpoint security?
Laurent
Good point, but only works if the customer is using Microsoft EDR or an EDR at all, which is not necessarily the case for all organisations 🙂
So far, most environments I see where an EDR is deployed are still centralizing "native" events in a SIEM. Other components to take into account:
- auditing requirements for some cases
- possibility that the EDR gets bypassed/disabled (in which case you might still detect some actions from the events)
- you might have an EDR on endpoints but not on servers and you want system+services events from those (not everybody runs its workload in Azure yet ;))
that being said, I agree with strategies like presented here were only curated data from Windows environments are pushed in Sentinel.