![]() For the Log Analytics agent, this will depend on which logging tier you select. Whatever you configure you will ingest into Sentinel. You also get the added Azure Arc capability if you want to leverage any of it.įor the Log Analytics and Azure Monitor agents the coverage is straight forward. Then you could just take a subset of events from other assets. You could take all the logs from your critical assets. It is also easy to have different collection rules. ![]() Using the new one gives you the ability to customize your logs, which is a huge benefit. The Azure Monitor agent is the natural evolution of the Log Analytics agent. So the first two agents are pretty similar. There is a delay in logs as they are sent to the Defender for Identity service, then to Sentinel.It should be significantly less than raw logs however. The cost will depend on the size of your environment of course.They will change or update only as the Defender for Identity product evolves. There is no ability to customize these events.You can enable it via the ‘Microsoft 365 Defender’ data connector under ‘Microsoft Defender for Identity’ IdentityQueryEvents – will show you query events, such as SAMR or DNS queries.IdentityDirectoryEvents – will show you directory events, such as group membership changing, or an account being disabled.IdentityLogonEvents – will show you logon events, both in Active Directory and across Office 365.These are the same logs that appear in Advanced Hunting if you have previously used that. Summarized event data can also be written back to Sentinel. ![]() You can enable it via the ‘Microsoft Defender for Identity’ data connector.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |