Forum Discussion
MDE ingestion and MMA logs
If I use the MDE (Defender for endpoint) data connector but already have MMA agents will this create duplicate logs? If I do use the MDE data connector, should I uninstall the MMA agents or is it bes...
These different connectors are purpose driven:
MMA (this will be out of support in 2024 and AMA agent is intended to be used for same purpose.)
1. This helps you to ingest logs from Security Events from Event Viewer logs.
2. Log volume is dependent on Audit policy implemented on the machine.
3. Once you bring them into Sentinel, you can write detections and create incidents
4. You ingestion is charged.
DFE
1. You need have a valid license as KennethML mentioned.
2. You can ingest the MDE alerts to Sentinel with no additional cost.
3. You have the raw logs available to query in Microsoft Security portal (DeviceEvents, DeviveNetworkEvents etc.,)
4. You can configure the Microsoft 365 Defender connector in Sentinel to get the same logs ingested to Sentinel to support your investigation.
5. Raw logs in defender does not cost you, but ingestion to Sentinel will cost you.
MMA (this will be out of support in 2024 and AMA agent is intended to be used for same purpose.)
1. This helps you to ingest logs from Security Events from Event Viewer logs.
2. Log volume is dependent on Audit policy implemented on the machine.
3. Once you bring them into Sentinel, you can write detections and create incidents
4. You ingestion is charged.
DFE
1. You need have a valid license as KennethML mentioned.
2. You can ingest the MDE alerts to Sentinel with no additional cost.
3. You have the raw logs available to query in Microsoft Security portal (DeviceEvents, DeviveNetworkEvents etc.,)
4. You can configure the Microsoft 365 Defender connector in Sentinel to get the same logs ingested to Sentinel to support your investigation.
5. Raw logs in defender does not cost you, but ingestion to Sentinel will cost you.
