Log sources for process creation (4688) events from endpoints

ford8k   It seems like Microsoft doesn't care where the data comes from as long as it is stored in the Log Analytics with Sentinel can process it.  This can be shown by having all the various connectors that attach to various systems, both Microsoft and not.  I am sure Microsoft would love for you to deploy Defender ATP on all the machines and have all that data coming into Sentinel but is it realistic?  Granted Defender handles a lot of the security for you but at the very least, the Agent can have log files sent to Sentinel.

There are 2 schools of thought here: 1) Monitor only what you think will cause problems and 2) Monitor everything.  While option 1 will reduce your cost, how do you know you are not missing something?  Option 2 gives you a better view of your environment but at a higher cost.

Personally, I lean towards option 2 as much as possible since it is better to have the data and not need it rather than need the data and not have it.