Sysmon worth using in addition to Defender ATP?

%3CLINGO-SUB%20id%3D%22lingo-sub-2746120%22%20slang%3D%22en-US%22%3ESysmon%20worth%20using%20in%20addition%20to%20Defender%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2746120%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20get%20opinions%20if%20sysmon%20is%20worth%20using%20alongside%20Defender%20ATP%3F%26nbsp%3B%20The%20logs%20would%20be%20going%20into%20Splunk%2C%20if%20that%20helps%2C%20but%20just%20in%20general.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Disclaimer%3A%26nbsp%3B%20I%20have%20asked%20this%20in%20a%20couple%20blue%20team%20slack%20chats%20as%20well).%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2746120%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Edefender%20atp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esysmon%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2746625%22%20slang%3D%22en-US%22%3ERE%3A%20Sysmon%20worth%20using%20in%20addition%20to%20Defender%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2746625%22%20slang%3D%22en-US%22%3EActive%20to%20defender%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2747202%22%20slang%3D%22en-US%22%3ERE%3A%20Sysmon%20worth%20using%20in%20addition%20to%20Defender%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2747202%22%20slang%3D%22en-US%22%3EHey%20Simon%2C%20thanks%20for%20the%20response%20but%20I%20don't%20understand.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2762877%22%20slang%3D%22en-US%22%3ERE%3A%20Sysmon%20worth%20using%20in%20addition%20to%20Defender%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2762877%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20think%20this%20highly%20depends%20on%20your%20needs.%20I%20had%20some%20discussions%20with%20researchers%20and%20the%20conclusion%20was%20that%20Defender%20ATP%20(MDE)%20detects%20a%20lot%20of%20things%20that%20Sysmon%20does%2C%20but%20Sysmon%20can%20get%20even%20a%20bit%20more%20data%20and%20you%20are%20more%20flexible%20in%20distributing%20this%20data%20to%20your%20siem.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20highly%20depends%20on%20your%20needs%20and%20your%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2766861%22%20slang%3D%22en-US%22%3ERE%3A%20Sysmon%20worth%20using%20in%20addition%20to%20Defender%20ATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2766861%22%20slang%3D%22en-US%22%3EThanks%2C%20thats%20kind%20of%20how%20I%20feel%20about%20it.%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm trying to get opinions if sysmon is worth using alongside Defender ATP?  The logs would be going into Splunk, if that helps, but just in general.  

 

(Disclaimer:  I have asked this in a couple blue team slack chats as well).  

5 Replies
Active to defender
Hey Simon, thanks for the response but I don't understand.

Hi,

I think this highly depends on your needs. I had some discussions with researchers and the conclusion was that Defender ATP (MDE) detects a lot of things that Sysmon does, but Sysmon can get even a bit more data and you are more flexible in distributing this data to your siem.

It highly depends on your needs and your environment.

Thanks, thats kind of how I feel about it.
We do exactly this. There's certainly going to be significant overlap, but having a configuration that is able to be tuned to your needs (Sysmon) is incredibly useful. We've been doing testing of different attacker techniques and there are things you can log via Sysmon that won't show up in the ATP timeline (eg named pipes). And aside from that there's always the advantage of being able to access the data from a common interface with your other logs when sending to your SIEM.