Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Avoiding duplicates in Sentinel when connecting M365 Defender

Copper Contributor

Hi,

according to the documentation here: Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Learn

To avoid duplicates in incident creation, it's recommended to "turn off all Microsoft incident creation rules for Microsoft 365 Defender-integrated products".

Does that mean the Analytics rules shown in the image?

defender_rules.JPG

Am I correct in this assumption? With those disabled(and the M365 Defender connector enabled), I'll get the incidents coming from all products through M365 Defender and not miss anything without getting duplicates?

 

Thank you in advance.

Andrés.

2 Replies
best response confirmed by Andres_Iniesta (Copper Contributor)
Solution
Hello!

From your question and your answers, you got it right :)
Hello,
But does that mean that Sentinel won't be the single pane of glass and the team will have to work across two different interfaces to deal with incidents?
1 best response

Accepted Solutions
best response confirmed by Andres_Iniesta (Copper Contributor)
Solution
Hello!

From your question and your answers, you got it right :)

View solution in original post