I've just finished adding all of my Domain Controllers to ESM and definitely see the value there. I was hoping the group here could comment on the following questions:
For the first question, if I added all of my servers I think I would be able to ask ESM "Tell me all of the servers that user XYZ has connected to" - maybe this is prior to a termination, if they are a contractor, and/or as part of a malware/worm investigation. Granted, it doesn't tell me what they did by itself (I guess that's were the APPLICATION or other Device Type logs come into play)
We pull logs from all Windows Servers, DC's, Member Servers, Workgroup Servers. We pull all 3 default log groups, Security, System, and Application. We have 2 environements, North America with over 1,000 data sources on an older X3, and UK with far fewer Data Sources running on a newer X4. NA we use the default 10 minute pull time (ESM from Receiver), and in the UK we are using 5 minutes. I believe the defualt pull time for WMI events from the Receiver is every 5 minutes. Most people are trying to make their SIEM's as close to "Real-Time" as possible, extending out your polling time to 30-minutes is not the norm for sure.
How did you deploy this? I am currently working with a customer with a 3,000+ workstation environment. They have stated that it would be impossible to provide host names for each of the workstations, however, they want Security, System and App logs from each of the hosts! I am trying to figure out a way to appease the customer but aside from just adding the domain controllers as data sources, I am at a loss as to how to implement inside of their "can't provide hostnames" limitation. Do you know of a way to collect Windows logs from each host without creating a data source for each host on the Event Receiver?
Remember, that there is a lot of default correlation rules based on the 10 minutes time window. When you are looking for example for user logins from different systems, then you can lost some information because of delays in the delivering WMI logs.
Other suggestion: create AD Servers variable in the servers section and use that variabe to filtering logs regarding AD servers in correlation like "the same user logon from different computers" an similar, to exclude false positives correlations.