Integration Differences - Fleet Policies

Could someone please shed some light on those integrations

System Integration and Windows they seem to be collecting the same type of logs ?

Prebuilt Security Detection Rules - does this require Endpoint Security / Integration to be installed enabled ?

Huber, regarding prebuilt rules: these rules don't require you to use the Elastic Endpoint (some users choose to use WinLogBeat or Sysmon or OsQuery or some combination of sensors) but the prebuilt rules were developed to take full advantage of Elastic Endpoint capabilities. Generally speaking, prebuilt rules should work just fine with any ECS compatible data source-- examples in the community-facing repo include prebuilt rules for Azure, GCP, AWS and Okta.

I do recommend the Elastic Endpoint if you don't have a tamper-resistant endpoint capability already, it is excellent-- but not a strict requirement to benefit from prebuilt rules.

Hi Huber,

Regarding the System vs Windows integrations, both integrations will collect the same type of logs (Windows Events), but each integration pulls from different channels. The System integration will collect from the Application, Security and System channels, while the Windows integration will collect from the ForwardedEvents, Powershell, Microsoft-Windows-Powershell/Operational, and Microsoft-Windows-Sysmon/Operational channels. If you need to collect logs from a different channel, the "Custom Windows event logs" (winlog) integration may be used.