What are all logs collected by defender for endpoint from windows endpoints and servers?

Supriya Nelluri 5 Reputation points
2025-05-05T06:20:53.7033333+00:00

Hi Team,

I have some servers from where i am collecting common event ids via AMA agent and sending it to Sentinel SIEM tool. Recently i installed defender for endpoint agent in these servers. I am now thinking of offboarding AMA agent as i already have data coming from defender agent (want to reduce the duplicate data and costs)

To take this decision i am searching for what are all the logs and event ids collected by defender for endpoint sensor. I am unable to find out the answer for this. Can you please let me know what are all the events or logs collected by defender for endpoint(security, Application, system) and can you suggest if i am having defender logs can i stop taking data from AMA agent to sentinel?

Also please attach the Microsoft documentations related to this.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
{count} vote

1 answer

Sort by: Most helpful
  1. Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator
    2025-05-06T09:21:19.8966667+00:00

    Hello Supriya Nelluri,

    As per description, we understand that you are collecting event IDs from few servers through Azure Monitor Agent to send events to Sentinel SIEM tool and once you install Defender for Endpoint, want to know which logs are replicated to Sentinel to avoid duplication.

    AMA is a lightweight log collection agent, designed to consume as little resources as possible when collecting metrics and logs from your server.

    Associated with a Microsoft Sentinel workspace, all logs collected form AMA-installed machines, are sent to the various Microsoft Sentinel tables, depending on the source type from which they were collected (Windows DNS, Windows security events, Firewall, IIS, Syslog, CEF, etc.).

    AMA can be controlled using Data Collection Rules (DCR), enabling you to define where to collect the logs from, what data manipulations to perform with KQL transformations (enabling you filtering, parsing, enrichment and more) and where to send the logs to, whether that be a workspace, Eventhubs (for Azure VMS only), Auxiliary tier and so on. You can group machines by using different DCRs.

    Ref:

    https://techcommunity.microsoft.com/blog/microsoftsentinelblog/revolutionizing-log-collection-with-azure-monitor-agent/4218129

    Microsoft Defender for Endpoint creates alerts when suspicious security events are seen in an organization.

    Fetch alerts generated in Microsoft Defender for Endpoint to Microsoft Sentinel so that you can effectively analyze security events. You can create rules, build dashboards and author playbooks for immediate response

    I suggest you refer the below documentation.

    https://learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based

    https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/microsoft-defender-for-endpoint

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.