Forum Discussion

csmits's avatar
csmits
Copper Contributor
Jun 12, 2020

Log Collection using a Log Analytics Agent from a Windows Event Collector

Hi,   To collect Security events from multiple windows hosts, a Windows Event Collector has been set up in the environment that we want to monitor. Can we forward all events from this collector usi...
Laurent_Cardon's avatar
Laurent_Cardon
Icon for Microsoft rankMicrosoft
Oct 23, 2020

I'm just discovering this topic and the question may be stupid...

Which use cases are we targeting using WEF collector to push info to Sentinel ? In case we have Windows Defender on the client couldn't we consider this is sufficient to guarantee the endpoint security?

Laurent 

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Oct 26, 2020

Windows Events and EDR events have overlap but also have a distinct value. How much would naturally be specific to the EDR used. There are two primary areas in which Windows Events add value not found in EDR:

  • Windows events are used for logging events by many subsystems. For example, SQL server and printing would both generate Windows events.
  • An EDR does not report many security-related windows events. For example, typically, an EDR would not report on local user management activity.

Resources