Forum Discussion

NicS's avatar
NicS
Copper Contributor
Mar 09, 2022

Users endpoint security events Sentinel

Does ingesting Security Events from users' machines into Sentinel make sense, or is it more effective to simply enrol in MDE and enable Defender 365 sentinel connector?

I am concerned by the large number of logs generated by users' endpoints if we enable logs ingestion via AMA (MMA) agent. 

 

Thanks

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor

    NicS If you can use MDE then it definitely makes sense to use it.  This will save you from having to recreate all the queries that MDE has out of the box.   In addition MDE can provide other services that make it better suited in this case.

     

    Someone told me to think of MS Sentinel as a backstop.  Use it to catch everything that other programs miss.  It would not make sense to not use a catcher (in this case MDE) if you have one 🙂

Resources