Jul 27 2022
We have a few activity rules which rely on specific SID of well know groups etc. It is unclear to me which source is needed to enable those activity rules.
There is also a preview for Active Directory, but in Microsoft docs I do not see any information besides toggle the option to On :)
I have the following questions:
UEBA also relies on security events ingestion, we ingest those events already from our domain controllers with the common setting.
4. Will there be an overlap of security events which will be ingested?
From Defender we also ingest the following 3 tables into Sentinel
Is this an overkill or is there a best practice available when you utilize all these data sources from you Domain Controllers?