Hello,
I too am somewhat new to the ELK topic seeing that no one has given you an answer, I will try to give you some information about my experience, it may or may not help you.
We know that the role of the agents is to collect logs and send them to Elasticsearch.
These agents are managed by “fleet” where you initially create an agent policy, there under a policy you can create one called “Windows monitoring” or “linux monitoring” and you give the name you want to the policy, the idea is to group the devices under an agent policy from “fleet”.
At this point we know that there are Agent policies.
Now the integrations also have policies but these integration policies define configurations or types of logs that you want to collect.
In the case of the Windows integration there is a policy that receives X name in my case I left it by default called “system-1” this defines that the logs that are going to be reconnected are “System, Security and application”.
Then for the Windows agent policy that groups all my machines that I called “Windows monitoring” an integration policy called “System” is applied to them, which is always detected, and this integration has a policy called “system-1” that defines what types of logs the agents must send through the integration, in this case as I mentioned, they are System, application and Security.
There is another integration called “Windows” this integration I see that allows to collect the logs type “Forwarded”, “Powershell”, “Powershell Operational”, “Sysmon Operational” among others and as explained above, I create a policy for the integration “Windows” called “windows-1” I left the name by detecto and this integration policy applies to the policy of the windows agents.
I hope you have understood me, if someone considers that I have made a mistake please feel free to correct me.
Sorry for the wording, I am using a translator.