Which EventIds you ingest depends on what tier you choose here.These are written to the SecurityEvent table. If EventId 4776 is logged on the server, Sentinel will retain an exact copy. The events written to Sentinel will be an exact match for what are logged on your domain controllers.
#Deep sentinel price windows#
You could be doing native Windows Event Forwarding, but to keep it simple, let’s look at the agent options. So in general to ship logs to Sentinel from Active Directory you will need an agent installed. You may already be licensed for Defender for Identity too. You may have heard reference to the Log Analytics agent, or the Azure Monitor Agent. The purpose of this post is to show you the different options and hopefully you can make an informed decision of which way to go. You can onboard Active Directory logs a number of ways, they all have their pros and cons. Attacking and defending Active Directory is a such a broad subject it is basically a speciality within cyber security itself. You may have migrated off it for cloud workloads, but chances are you still use it on premises. Despite Microsoft’s push to Azure Active Directory, on premise Active Directory is still heavily used. If you already use it, you probably spend a fair bit of time digging through Active Directory logs. If you are looking at using Microsoft Sentinel, then Active Directory is likely high on your list of sources to onboard.
0 kommentar(er)
