May 01 2022 11:03 AM
Hi,
Would like to know whether Defender for Endpoint has the functionality to collect the security event form End point devices. Or we need to install AMA agent specifically for this purpose on Desktops/Laptops.
How we can gather the security events to detect case like Critical Registry Key Value Modified on a desktop/laptop or multiple Failed Logons to the Desktops/Laptops.
Or Defender for Endpoint having the ML capabilities will cover those cases as well.
May 01 2022 05:57 PM - edited May 01 2022 06:09 PM
SolutionMDE does gather login/logoff events as well as registry related events, and also gives you access to these events in the Advanced Hunting.
You can also create custom detection rules using KQL to create alerts, which could help you with detections.
However, I don't think all security events are gathered, so it is hard to tell if this will be enough.
There is no list of threats that MDE hunts for, or which type of events MDE will make available in advanced hunting, and you cannot choose what events to gather.
Therefore, I do not think there is a clear cut answer here.
You will need to try and see what can be found within Advanced Hunting on your own.
If this is enough, you can use MDE. If it is not enough, you will likely require AMA.
May 01 2022 05:57 PM - edited May 01 2022 06:09 PM
SolutionMDE does gather login/logoff events as well as registry related events, and also gives you access to these events in the Advanced Hunting.
You can also create custom detection rules using KQL to create alerts, which could help you with detections.
However, I don't think all security events are gathered, so it is hard to tell if this will be enough.
There is no list of threats that MDE hunts for, or which type of events MDE will make available in advanced hunting, and you cannot choose what events to gather.
Therefore, I do not think there is a clear cut answer here.
You will need to try and see what can be found within Advanced Hunting on your own.
If this is enough, you can use MDE. If it is not enough, you will likely require AMA.