Forum Discussion

GaryB_Reply's avatar
GaryB_Reply
Copper Contributor
Sep 27, 2022

Best Practice to handle duplicate SIEM log entries from MDCA and MDI

I'm looking to understand the best practice for handling potential duplicate SIEM log entries with MDI and MDCA enabled.   The MDCA documentation MDCA SIEM Integration suggests that duplicate entri...
  • Rod_Trent's avatar
    Rod_Trent
    Sep 27, 2022
    I can speak for the Sentinel side - yes, Sentinel has capability built-in to manage potential duplicate alerts. Plus, the Defender alerts are free for Sentinel customers.
Keith_Fleming's avatar
Keith_Fleming
Icon for Microsoft rankMicrosoft
Sep 28, 2022

GaryB_Reply if using 2 different sources it's definitely possible to see duplicates. Is there a particular reason that your wanting to use both is it a difference in the data?

 

You might also consider the streaming API in M365D which should aggregate all the events together and they could be consumed from an EventHub to your SIEM.

  • GaryB_Reply's avatar
    GaryB_Reply
    Copper Contributor
    Sep 28, 2022
    Keith_Fleming We are looking to use MDI on premise and MDCA to manage cloud app usage and the documentation warns that duplicates will happen but doesn't give a clear guide how to resolve or best practice for choosing one over the other. If the data is being fed into the Defender 365 portal from both sources and then onto a SIEM rather than individual feeds from MDI and MDCA would that mitigate the problem?

Resources