<!-- .slide: class="content small-font" --> ## Review And Summary * Collecting data from the endpoint is a balancing act: 1. Collecting too much data makes it difficult to post process 2. Collecting too little means frequent re-collections and pivoting. * In Client/Server model it is easy to hunt for new data quickly * It is better to be more targeted and answer more specific questions * Limit the total data returned * We saw to to collect uploads using SMB and S3 * More methods are available (SFTP, Azure etc). * The basic principal is the same: Lock down the service account so it can only upload --- <!-- .slide: class="content" --> ## Local collection considerations * Local collection can be done well without a server and permanent agent installed. * A disadvantage is that we do not get feedback of how the collection is going and how many resources are consumed. * We really need to plan ahead what we want to collect and it is more difficult to pivot and dig deeper in response to findings.