Hope you all doing well and keeping safe during this unprecedented timings!!
I have couple of queries regarding log deployment modes. Please help me understand.
As part of transition we have been requested to support for one of our clients. In the current ecosystem log ingestion is being happened through native MDE integration and via log collectors( Docker image on Linux in Azure)
1. When we are able to discover the data from MDE, why should we have log collector deployment inplace? I believe with the help of log collectors only, we can able to replicate the cloud discovery resource details( statistics for platform security i.e storage account transactions ) please correct me if i am wrong.
2. If we ingest the data from both mde and through log collector servers will it be treated as redundant logs from MCAS side? how will it be processed the data?
3. Log collectors are showing offline since Sep4th 2021. But last parsed log is showing as sep 14th? So there is 10 days of delay in processing the data from log collectors to MCAS? Why it is taking 10 days time period because, we would be in a blind spot from security standpoint?
Can somebody please help me understand the above queries?
Looking forward to hearing for these queries please?