What is the best way to deploy agents/sensors (such as a SIEM agent) in large-scale Windows environments?
Any hands-on tips or recommendations?
Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.
We use NXLOG at Securonix.
I would suggest if you need to deploy agents on Windows your probably best using Group Policies in Active Directory and an MSI installer.
WMI can be used to collect logs, but I highly recommend against it. It's insecure using COM/DCOM ports 135-138 to query, then SMB 445 for file transfer and requires DLLs to decode the binary format.
Sensors implies traffic collection and layer 2 devices (Corelight, Gigamon, Extrahop), and is an entirely different process.
You will probably have to deploy at least one log collector for the Vendor's SIEM you deploy. Most will be a Unix host, and you'll want to make sure you plan for it's patch management (many vendors don't patch after install and it's left to the customer). Some are deployed via VMs. Some supply hardware devices (ArcSight connector Appliance, QRadar Event Processor).
Puppet, Teraform and other Cloud tools can help with deployment of collectors on cloud environments.
Some products permit generating a native .MSI package. Sometimes, you can use PowerShell for connecting and installing packs in your environment.
Not-trivial: using a secondary tool (an administrative tool, iLo/iDRAC, PHP, expect, ssh-win, ...) is available or built-in over assets.
Usually, when professionals administer the network, they use an Active Directory tool and a cybersecurity solution (e.g., EPP, anti-virus, or SIEM) separately.
Are you aware of SIEM platforms that integrate these tools?
When one writes detection rules for SIEM solutions, what are the criteria of a good detection rule?
Can you share any examples?