What are all logs collected by defender for endpoint from windows endpoints and servers?

Question

What are all logs collected by defender for endpoint from windows endpoints and servers?

Supriya Nelluri 5

Hi Team,

I have some servers from where i am collecting common event ids via AMA agent and sending it to Sentinel SIEM tool. Recently i installed defender for endpoint agent in these servers. I am now thinking of offboarding AMA agent as i already have data coming from defender agent (want to reduce the duplicate data and costs)

To take this decision i am searching for what are all the logs and event ids collected by defender for endpoint sensor. I am unable to find out the answer for this. Can you please let me know what are all the events or logs collected by defender for endpoint(security, Application, system) and can you suggest if i am having defender logs can i stop taking data from AMA agent to sentinel?

Also please attach the Microsoft documentations related to this.

Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-07T03:17:33.72+00:00

Hello Supriya Nelluri ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Supriya Nelluri 5 Reputation points

2025-05-07T06:50:34.6766667+00:00

Hello @Venkata Jagadeep Thanks for your response.

i am sending logs from defender to sentinel and AMA agent to sentinel from servers. Actually i am planning to stop collecting logs from AMA agent to avoid duplication of logs. Here my actual concern is if i stop the this collection of logs from AMA, will i be missing any logs? is all the common event logs collected by defender? What are all logs collected by defender?
I want to understand the impact and take the decision of stopping the the logs from AMA agent. Please suggest is it is a good idea? as i am getting logs from defender agent already but i don't know what are all logs are collected by defender and is those are sufficient for the incident response?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-08T08:27:50.4166667+00:00

Hello Supriya Nelluri,

The Microsoft Defender XDR connector for Microsoft Sentinel allows you to stream all Microsoft Defender XDR incidents, alerts, and advanced hunting events into Microsoft Sentinel. This connector keeps the incidents synchronized between both portals. Microsoft Defender XDR incidents include alerts, entities, and other relevant information from all the Microsoft Defender products and services.

If you're onboarding Microsoft Sentinel to the Microsoft Defender portal, you must first enable this connector with incident integration so that it collects all the events on the incident.

Ref:

https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?utm_source=chatgpt.com&tabs=MDE

Microsoft Defender for Endpoint creates alerts when suspicious security events are seen in an organization. Fetch alerts generated in MDE to Microsoft Sentinel so that you can effectively analyze security events.

Please refer the below documentation on details about the logs ingested to Sentinal from MDE

https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE#connect-to-microsoft-defender-xdr
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-09T03:28:46.9566667+00:00

Hello Supriya Nelluri ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-12T05:10:45.99+00:00

Hello Supriya Nelluri ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-07T03:17:33.72+00:00

Hello Supriya Nelluri ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Supriya Nelluri 5 Reputation points

2025-05-07T06:50:34.6766667+00:00

Hello @Venkata Jagadeep Thanks for your response.

i am sending logs from defender to sentinel and AMA agent to sentinel from servers. Actually i am planning to stop collecting logs from AMA agent to avoid duplication of logs. Here my actual concern is if i stop the this collection of logs from AMA, will i be missing any logs? is all the common event logs collected by defender? What are all logs collected by defender?
I want to understand the impact and take the decision of stopping the the logs from AMA agent. Please suggest is it is a good idea? as i am getting logs from defender agent already but i don't know what are all logs are collected by defender and is those are sufficient for the incident response?
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-08T08:27:50.4166667+00:00

Hello Supriya Nelluri,

The Microsoft Defender XDR connector for Microsoft Sentinel allows you to stream all Microsoft Defender XDR incidents, alerts, and advanced hunting events into Microsoft Sentinel. This connector keeps the incidents synchronized between both portals. Microsoft Defender XDR incidents include alerts, entities, and other relevant information from all the Microsoft Defender products and services.

If you're onboarding Microsoft Sentinel to the Microsoft Defender portal, you must first enable this connector with incident integration so that it collects all the events on the incident.

Ref:

https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?utm_source=chatgpt.com&tabs=MDE

Microsoft Defender for Endpoint creates alerts when suspicious security events are seen in an organization. Fetch alerts generated in MDE to Microsoft Sentinel so that you can effectively analyze security events.

Please refer the below documentation on details about the logs ingested to Sentinal from MDE

https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE#connect-to-microsoft-defender-xdr
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-09T03:28:46.9566667+00:00

Hello Supriya Nelluri ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator

2025-05-12T05:10:45.99+00:00

Hello Supriya Nelluri ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hello Supriya Nelluri,

As per description, we understand that you are collecting event IDs from few servers through Azure Monitor Agent to send events to Sentinel SIEM tool and once you install Defender for Endpoint, want to know which logs are replicated to Sentinel to avoid duplication.

AMA is a lightweight log collection agent, designed to consume as little resources as possible when collecting metrics and logs from your server.

Associated with a Microsoft Sentinel workspace, all logs collected form AMA-installed machines, are sent to the various Microsoft Sentinel tables, depending on the source type from which they were collected (Windows DNS, Windows security events, Firewall, IIS, Syslog, CEF, etc.).

AMA can be controlled using Data Collection Rules (DCR), enabling you to define where to collect the logs from, what data manipulations to perform with KQL transformations (enabling you filtering, parsing, enrichment and more) and where to send the logs to, whether that be a workspace, Eventhubs (for Azure VMS only), Auxiliary tier and so on. You can group machines by using different DCRs.

Ref:

https://techcommunity.microsoft.com/blog/microsoftsentinelblog/revolutionizing-log-collection-with-azure-monitor-agent/4218129

Microsoft Defender for Endpoint creates alerts when suspicious security events are seen in an organization.

Fetch alerts generated in Microsoft Defender for Endpoint to Microsoft Sentinel so that you can effectively analyze security events. You can create rules, build dashboards and author playbooks for immediate response

I suggest you refer the below documentation.

https://learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based

https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/microsoft-defender-for-endpoint

Share via

What are all logs collected by defender for endpoint from windows endpoints and servers?

1 answer

Your answer