cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MCAS Logs Ingestion MDE vs Log Collector

DaryaB
Copper Contributor

‎Apr 01 2021 11:59 PM - edited ‎Apr 02 2021 12:06 AM

‎Apr 01 2021 11:59 PM - edited ‎Apr 02 2021 12:06 AM

MCAS Logs Ingestion MDE vs Log Collector

Hi everyone,

we are currently evaluating MCAS and i am having a bit of a hard time figuring out which of the Logs Ingestion options makes sense.

According to the official documentation either integration with MDE (Defender for Endpoint) or the Log Collector can be used to continuously upload network logs.

https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery

DaryaB_0-1617346609408.png

 

So my question is - If we already have MDE in our organization, do we still need Log Collector data or would it just provide duplicate information?

Thanks in advance,

Darya

 

2,108 Views
1 Like
1 Reply
Reply
1 Reply
carpa4

‎Jan 12 2022 10:45 AM

‎Jan 12 2022 10:45 AM

Re: MCAS Logs Ingestion MDE vs Log Collector

@DaryaB it should provide largely duplicate information.  However there are cases where having both collectors types working can give you a better overall view of SaaS usage:  e.g. devices using proxies but not having MDE installed.  Or MDE usage outside the corporate premises (remote users not using VPN, mobile devices).   If you have a large device base, it's probable the MDE isn't working on all assets so you may still capture their use through the proxy logs.  Having both sources may give you a sanity check of whether the ingestion is working properly or if you have some kind of technical issues.

0 Likes
Reply