Forum Discussion
Windows event logging to SIEM (Sentinel)
I am working in a landscape where several old systems are active. Yes, it's a concern that receives attention and is being addressed, but it's separate from this question. For the SOC we need Eve...
Personally I'd do anything to avoid using MMA at this stage. WEC/WEF sounds like a reasonable option, a quick test should confirm any fears - from memory the source machine is listed in the schema so there should be no compatibility issue
Clive_Watson, thanks for your reply.
I heard concerns that the format of this content (the content collected via WEF/WEC) seems slightly different than when MMA or AMA is used. Is that correct? Even if the final step is using AMA to ingest the traffic into Sentinel?
That person stated that it may impact at the time we migrate to ARC/AMA for all the systems.
- Given that you have 8 days, I'd look to use WEC for now - I dont have a demo systems anymore, so cant comment on the impact, perhaps others will know.
The WEF process is via AMA on the internet connected Server so that (should) align the schema.