Users endpoint security events Sentinel

New Contributor

Does ingesting Security Events from users' machines into Sentinel make sense, or is it more effective to simply enrol in MDE and enable Defender 365 sentinel connector?

I am concerned by the large number of logs generated by users' endpoints if we enable logs ingestion via AMA (MMA) agent. 

 

Thanks

2 Replies

@NicS If you can use MDE then it definitely makes sense to use it.  This will save you from having to recreate all the queries that MDE has out of the box.   In addition MDE can provide other services that make it better suited in this case.

 

Someone told me to think of MS Sentinel as a backstop.  Use it to catch everything that other programs miss.  It would not make sense to not use a catcher (in this case MDE) if you have one :)

Thank you, Gary