MCAS Logs Ingestion MDE vs Log Collector

Copper Contributor

Hi everyone,

we are currently evaluating MCAS and i am having a bit of a hard time figuring out which of the Logs Ingestion options makes sense.

According to the official documentation either integration with MDE (Defender for Endpoint) or the Log Collector can be used to continuously upload network logs.

https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery

DaryaB_0-1617346609408.png

 

So my question is - If we already have MDE in our organization, do we still need Log Collector data or would it just provide duplicate information?

Thanks in advance,

Darya

 

1 Reply

@DaryaB it should provide largely duplicate information.  However there are cases where having both collectors types working can give you a better overall view of SaaS usage:  e.g. devices using proxies but not having MDE installed.  Or MDE usage outside the corporate premises (remote users not using VPN, mobile devices).   If you have a large device base, it's probable the MDE isn't working on all assets so you may still capture their use through the proxy logs.  Having both sources may give you a sanity check of whether the ingestion is working properly or if you have some kind of technical issues.