Apr 01 2021 11:59 PM - edited Apr 02 2021 12:06 AM
Hi everyone,
we are currently evaluating MCAS and i am having a bit of a hard time figuring out which of the Logs Ingestion options makes sense.
According to the official documentation either integration with MDE (Defender for Endpoint) or the Log Collector can be used to continuously upload network logs.
https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery
So my question is - If we already have MDE in our organization, do we still need Log Collector data or would it just provide duplicate information?
Thanks in advance,
Darya
Jan 12 2022 10:45 AM
@DaryaB it should provide largely duplicate information. However there are cases where having both collectors types working can give you a better overall view of SaaS usage: e.g. devices using proxies but not having MDE installed. Or MDE usage outside the corporate premises (remote users not using VPN, mobile devices). If you have a large device base, it's probable the MDE isn't working on all assets so you may still capture their use through the proxy logs. Having both sources may give you a sanity check of whether the ingestion is working properly or if you have some kind of technical issues.