06-11-2020 11:00 PM
06-11-2020 11:00 PM
To collect Security events from multiple windows hosts, a Windows Event Collector has been set up in the environment that we want to monitor. Can we forward all events from this collector using a Sentinel agent? If so, is there an additional way to filter the events forwarded, except for the standard set of options (minimal, full, recommended), for example based on original host?
Thanks in advance!
06-14-2020 11:37 PM
10-20-2020 06:53 AM
Hi @Ofer_Shezaf ,
Do you have more news about WEF support ?
I installed LA agent on a WEC server and I can retrieve events from the WEC host itself but adding other sources (ex: ForwardedEvents, custom channels from the subscriptions, ...) from `Log Analytics workspaces > ... > Advanced Settings > Data > Windows Event Logs > Collect events from the following event logs` is not working. Note that ForwardedEvents is suggested in the dropdown from this blade.
Any suggestions ?
10-22-2020 11:10 PM
I'm just discovering this topic and the question may be stupid...
Which use cases are we targeting using WEF collector to push info to Sentinel ? In case we have Windows Defender on the client couldn't we consider this is sufficient to guarantee the endpoint security?
10-23-2020 01:36 AM - edited 10-24-2020 12:49 AM
Good point, but only works if the customer is using Microsoft EDR or an EDR at all, which is not necessarily the case for all organisations :)
So far, most environments I see where an EDR is deployed are still centralizing "native" events in a SIEM. Other components to take into account:
- auditing requirements for some cases
- possibility that the EDR gets bypassed/disabled (in which case you might still detect some actions from the events)
- you might have an EDR on endpoints but not on servers and you want system+services events from those (not everybody runs its workload in Azure yet ;))
that being said, I agree with strategies like presented here were only curated data from Windows environments are pushed in Sentinel.
10-26-2020 05:58 AM
Windows Events and EDR events have overlap but also have a distinct value. How much would naturally be specific to the EDR used. There are two primary areas in which Windows Events add value not found in EDR:
10-27-2020 10:17 PM
@Ofer_Shezaf , I can see the option to enable collection for forwarded events in Sentinel once Log analytics is deployed, is till still not in GA ? if not any ETA on when its expected to be in GA.