Azure ATP, Defender ATP + SysMon/Eventlog?

%3CLINGO-SUB%20id%3D%22lingo-sub-1576671%22%20slang%3D%22en-US%22%3EAzure%20ATP%2C%20Defender%20ATP%20%2B%20SysMon%2FEventlog%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1576671%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20wondering%20about%20a%20project%20for%20one%20of%20our%20customers%20and%20would%20be%20happy%20to%20hear%20about%20your%20opinion.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20been%20monitoring%20Windows%20Server%20with%20Event%20log%2C%20having%20them%20extended%20by%20SysMon.%20Now%20we%20are%20happy%20to%20have%20Azure%20ATP%20%2B%20Defender%20ATP%20available%20for%20the%20DCs%20%2F%20Servers.%20What%20do%20you%20think%20-%20should%20we%20still%20continue%20collecting%20event%20logs%20with%20SysMon%20and%20Monitoring%20Agent%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20input!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERalph%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1576671%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20atp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDefender%20Advanced%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esysmon%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1576781%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%2C%20Defender%20ATP%20%2B%20SysMon%2FEventlog%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1576781%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F82766%22%20target%3D%22_blank%22%3E%40Ralph%20G%C3%B6bel%3C%2FA%3E%26nbsp%3BMy%20personal%20opinion%20is%20if%20the%20amount%20of%20data%20being%20ingested%20does%20not%20cost%20you%20too%20much%20money%2C%20and%20only%20you%20or%20your%20customer%20can%20really%20determine%20that%2C%26nbsp%3B%20it%20is%20worth%20ingestion.%26nbsp%3B%20I%20would%20have%20rather%20have%20the%20data%20and%20not%20need%20it%20than%20vice%20versa.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1578990%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%2C%20Defender%20ATP%20%2B%20SysMon%2FEventlog%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1578990%22%20slang%3D%22en-US%22%3EI%20would%20leave%20them%20running%20side%20by%20side%20and%20check%20what%20advantages%20you%20see%20with%20Sysmon%2FEventlogs.%20They%20might%20generate%20alerts%20that%20MDATP%20does%20not%20see.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20don't%20usually%20do%20it%20as%20there%20is%20not%20much%20added%20value%20for%20it%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2038128%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%2C%20Defender%20ATP%20%2B%20SysMon%2FEventlog%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2038128%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGood%20evening.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20a%20doubt.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20logs%20of%20the%20tables%20that%20Defender%20can%20send%20to%20Sentinel%2C%20as%20if%20it%20were%20a%20sysmon%2C%20is%20it%20possible%20to%20collect%20the%20logs%20that%20the%20Event%20Viewer%20generates%3F%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThat%20is%2C%20a%20Login%20Event_id%204624%2C%20or%20password%20lockout%2C%20for%20example%2C%20is%20it%20possible%20to%20collect%20via%20Defender%20%2F%20Sysmon%20or%20do%20I%20still%20need%20the%20Sentinle%20MMA%20agent%20installed%20to%20collect%20these%20logs%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2040994%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%2C%20Defender%20ATP%20%2B%20SysMon%2FEventlog%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2040994%22%20slang%3D%22en-US%22%3ESysmon%20data%20is%20also%20collected%20through%20the%20MMA%20agent.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20you%20need%20the%20MMA%20when%20you%20want%20to%20retrieve%20events%20from%20the%20Event%20Viewer%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2041117%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%2C%20Defender%20ATP%20%2B%20SysMon%2FEventlog%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2041117%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESe%20recebo%20os%20logs%20via%20defender%2C%20que%20s%C3%A3o%20semelhantes%20aos%20logs%20do%20sysmon%2C%20ainda%20preciso%20receber%20os%20logs%20do%20Event%20Viewer%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22pagar_01.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F244778iCBD66195AF551B8D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22pagar_01.png%22%20alt%3D%22pagar_01.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20is%2C%20a%20login%20log%20(4624)%2C%20for%20example%2C%20does%20it%20come%20via%20defender%20or%20via%20symon%2C%20or%20does%20this%20log%20come%20only%20via%20installed%20MMA%20agent%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2042761%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%2C%20Defender%20ATP%20%2B%20SysMon%2FEventlog%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2042761%22%20slang%3D%22en-US%22%3EIt%20really%20depends.%20Microsoft%20doesn't%20publish%20what%20events%20are%20ingested%20through%20MDE.%3CBR%20%2F%3EYou%20need%20to%20check%20the%20logs%2C%20but%20I%20would%20guess%20these%20are%20in%20the%20table%20'DeviceLogonEvents'.%20Have%20you%20checked%20here%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all,

 

I am currently wondering about a project for one of our customers and would be happy to hear about your opinion.

 

We have been monitoring Windows Server with Event log, having them extended by SysMon. Now we are happy to have Azure ATP + Defender ATP available for the DCs / Servers. What do you think - should we still continue collecting event logs with SysMon and Monitoring Agent?

 

Thanks for your input!

 

Ralph

6 Replies

@Ralph Göbel My personal opinion is if the amount of data being ingested does not cost you too much money, and only you or your customer can really determine that,  it is worth ingestion.  I would have rather have the data and not need it than vice versa.

I would leave them running side by side and check what advantages you see with Sysmon/Eventlogs. They might generate alerts that MDATP does not see.

I don't usually do it as there is not much added value for it

@Thijs Lecomte  

 

Good evening.

I have a doubt.

 

The logs of the tables that Defender can send to Sentinel, as if it were a sysmon, is it possible to collect the logs that the Event Viewer generates?

 

That is, a Login Event_id 4624, or password lockout, for example, is it possible to collect via Defender / Sysmon or do I still need the Sentinle MMA agent installed to collect these logs?

Sysmon data is also collected through the MMA agent.

So you need the MMA when you want to retrieve events from the Event Viewer

@Thijs Lecomte 

 

Se recebo os logs via defender, que são semelhantes aos logs do sysmon, ainda preciso receber os logs do Event Viewer?

 

pagar_01.png

 

That is, a login log (4624), for example, does it come via defender or via symon, or does this log come only via installed MMA agent?

 

It really depends. Microsoft doesn't publish what events are ingested through MDE.
You need to check the logs, but I would guess these are in the table 'DeviceLogonEvents'. Have you checked here?