MDE ingestion and MMA logs

Copper Contributor

If I use the MDE (Defender for endpoint) data connector but already have MMA agents will this create duplicate logs? If I do use the MDE data connector, should I uninstall the MMA agents or is it best to use both?

2 Replies
Data collected by the 2 diferent agents are not the same, but there might be overlapping data in some scenarios. With MMA (and AMA) you can recieve eventlog data, flatfile logs etc. With the legacy MDE connector you only get incidents from MDE and you need to use Security portal to look at data in the incident logs. With the new Microsoft 365 Defender connector you'll get the actual sensor data from MDE into your Log Analytics workspace. Please be aware that there is a cost involved with importing the logs from M365 Defender connector not covered by the Defender for Cloud P2 allowance. /Kenneth ML
These different connectors are purpose driven:

MMA (this will be out of support in 2024 and AMA agent is intended to be used for same purpose.)
1. This helps you to ingest logs from Security Events from Event Viewer logs.
2. Log volume is dependent on Audit policy implemented on the machine.
3. Once you bring them into Sentinel, you can write detections and create incidents
4. You ingestion is charged.

DFE
1. You need have a valid license as @KennethML mentioned.
2. You can ingest the MDE alerts to Sentinel with no additional cost.
3. You have the raw logs available to query in Microsoft Security portal (DeviceEvents, DeviveNetworkEvents etc.,)
4. You can configure the Microsoft 365 Defender connector in Sentinel to get the same logs ingested to Sentinel to support your investigation.
5. Raw logs in defender does not cost you, but ingestion to Sentinel will cost you.