Defender for Endpoint provides a really great and relatively affordable way of ingesting large-scale sysmon-ish events into your SIEM for correlation (Seriously — it’s way cheaper — even free if you keep your events in Defender and use advanced hunting). But, if you choose to send your logs to a SIEM like Sentinel or Splunk, there are things to be aware of.
Sampling
Microsoft cuts some corners with the logs exposed to the customer to help save some costs. These logs take up serious bandwidth to transmit and store, especially at the scale MS operate at. I heavily recommend reading this blog by Olaf Hartong: Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation | by Olaf Hartong | FalconForce | Medium
The Weirdness with creating and renaming smaller files
With the concept of trimming events for bandwidth in mind, I’ve stumbled on some weird behavior on my Windows 11 workstation: I can’t find all my text files.
I can manually create text files in the root C:\ drive or in my user Documents folder, but all I get are the .lnk shortcuts created by Windows automatically (Placed in AppData\\Roaming\\Microsoft\\Windows\\Recent). This behavior is the same regardless of if the file is empty or has content.
Additionally, not every file rename is captured. I’ve been able to rename these text files and not see a corresponding .lnk, let alone a .txt appear.
I’ve not had a chance to try this on Windows 10 or compare against real Sysmon, but it goes to show that there are caveats on your ability to write detections when working with Defender’s native logging compared to implementing Sysmon proper.
This is not a condemnation of Defender’s logging; I love it and it’s an excellent way to get those holy-grail endpoint logs at a decent cost without any of the upkeep or overhead that comes with Sysmon, even with these small issues.
