As an MDR customer, you can use Agent with or without Sysmon installed on the device. Without Sysmon, Agent captures a limited number of security-relevant Windows events. For example, Active Directory (AD) lockouts for administrator accounts, AD sign-in failures for high-criticality users, and Kerberos replay attacks. With Sysmon, Agent can detect more events. For example, process creation, loading drivers, and possible malicious PowerShell activity.

Agent does not forward all event logs to Arctic Wolf for storage. To meet industry compliance requirements, Agent is not a replacement for off-site log storage.