cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Collecting Security Events from End point devices

santhoshmohd
Copper Contributor

‎May 01 2022 11:03 AM

‎May 01 2022 11:03 AM

Collecting Security Events from End point devices

Hi,

 

Would like to know whether Defender for Endpoint has the functionality to collect the security event form End point devices. Or we need to install AMA agent specifically for this purpose on Desktops/Laptops.

 

How we can gather the security events to detect case like  Critical Registry Key Value Modified on a desktop/laptop or multiple Failed Logons to the Desktops/Laptops.

 

Or Defender for Endpoint having the ML capabilities will cover those cases as well.

1,512 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by santhoshmohd (Copper Contributor)
Jonhed

‎May 01 2022 05:57 PM - edited ‎May 01 2022 06:09 PM

‎May 01 2022 05:57 PM - edited ‎May 01 2022 06:09 PM

Solution

Re: Collecting Security Events from End point devices

MDE does gather login/logoff events as well as registry related events, and also gives you access to these events in the Advanced Hunting.
You can also create custom detection rules using KQL to create alerts, which could help you with detections.

However, I don't think all security events are gathered, so it is hard to tell if this will be enough.
There is no list of threats that MDE hunts for, or which type of events MDE will make available in advanced hunting, and you cannot choose what events to gather.

Therefore, I do not think there is a clear cut answer here.
You will need to try and see what can be found within Advanced Hunting on your own.
If this is enough, you can use MDE. If it is not enough, you will likely require AMA.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-overview?...

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by santhoshmohd (Copper Contributor)
Jonhed

‎May 01 2022 05:57 PM - edited ‎May 01 2022 06:09 PM

‎May 01 2022 05:57 PM - edited ‎May 01 2022 06:09 PM

Solution

Re: Collecting Security Events from End point devices

MDE does gather login/logoff events as well as registry related events, and also gives you access to these events in the Advanced Hunting.
You can also create custom detection rules using KQL to create alerts, which could help you with detections.

However, I don't think all security events are gathered, so it is hard to tell if this will be enough.
There is no list of threats that MDE hunts for, or which type of events MDE will make available in advanced hunting, and you cannot choose what events to gather.

Therefore, I do not think there is a clear cut answer here.
You will need to try and see what can be found within Advanced Hunting on your own.
If this is enough, you can use MDE. If it is not enough, you will likely require AMA.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-overview?...

View solution in original post

0 Likes
Reply