Endpoint Security Intergration vs. Windows and System Intergrations

Hey there,
I need some help figuring out what the best practice is for collecting logs. What I would like to accomplish is to replace my current XDR solution with Elastic Endpoint Security (all without breaking the bank). I then want to take those alerts and feed them into my SOAR.

Currently have 900+ endpoints and all the endpoints are enrolled via fleet. Elastic Endpoint Security is installed on all the endpoints, but have all the event collections turned off due to sheer amount of information that comes in. I am instead using System and Windows integrations to collect, and drop the logs that create too much noise.

Is it better to continue collecting logs the way I am, or should I move to event collection from Endpoint Security?

Thanks for any input!

1 Like

HI @TTCD - sorry for the delay in response.

As a general recommendation, the endpoint security integration will give you very relevant security data for your use as an EDR/XDR solution. It may be a best approach to start with endpoint security and use the event filtering capabilities to reduce the log volume if necessary. Event filters | Elastic Security Solution [8.0] | Elastic

Sysmon and Windows can also be helpful, but depending on the configuration may miss relevant context.

Happy to chat more if needed.

1 Like

In my production environment, I'm using the security + winlogbeat + sysmon endpoint because I noticed that with just the Elastic endpoint, it lacked some specific information to detect brute force actions.

It is also important to enable GPOs to apply security policies and logs bringing data enrichment. For example: powershell logs which are not enabled on Windows.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.