cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Best Practice to handle duplicate SIEM log entries from MDCA and MDI

GaryB_Reply
Copper Contributor

‎Sep 27 2022 08:22 AM

‎Sep 27 2022 08:22 AM

Best Practice to handle duplicate SIEM log entries from MDCA and MDI

I'm looking to understand the best practice for handling potential duplicate SIEM log entries with MDI and MDCA enabled.

 

The MDCA documentation MDCA SIEM Integration suggests that duplicate entries will be created with different IDs.

 

Can they run side by side or do I have to choose one source over another?

Does using Sentinel provide additional options to merge or suppress duplicate entries that at third party SIEM like Splunk doesn't?

1,187 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by GaryB_Reply (Copper Contributor)
Rod_Trent

‎Sep 27 2022 09:02 AM

‎Sep 27 2022 09:02 AM

Solution

Re: Best Practice to handle duplicate SIEM log entries from MDCA and MDI

I can speak for the Sentinel side - yes, Sentinel has capability built-in to manage potential duplicate alerts. Plus, the Defender alerts are free for Sentinel customers.
1 Like
Reply
Keith_Fleming

‎Sep 28 2022 08:43 AM

‎Sep 28 2022 08:43 AM

Re: Best Practice to handle duplicate SIEM log entries from MDCA and MDI

@GaryB_Reply if using 2 different sources it's definitely possible to see duplicates. Is there a particular reason that your wanting to use both is it a difference in the data?

 

You might also consider the streaming API in M365D which should aggregate all the events together and they could be consumed from an EventHub to your SIEM.

1 Like
Reply
GaryB_Reply

‎Sep 28 2022 09:19 AM

‎Sep 28 2022 09:19 AM

Re: Best Practice to handle duplicate SIEM log entries from MDCA and MDI

@Keith_Fleming We are looking to use MDI on premise and MDCA to manage cloud app usage and the documentation warns that duplicates will happen but doesn't give a clear guide how to resolve or best practice for choosing one over the other. If the data is being fed into the Defender 365 portal from both sources and then onto a SIEM rather than individual feeds from MDI and MDCA would that mitigate the problem?
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by GaryB_Reply (Copper Contributor)
Rod_Trent

‎Sep 27 2022 09:02 AM

‎Sep 27 2022 09:02 AM

Solution

Re: Best Practice to handle duplicate SIEM log entries from MDCA and MDI

I can speak for the Sentinel side - yes, Sentinel has capability built-in to manage potential duplicate alerts. Plus, the Defender alerts are free for Sentinel customers.

View solution in original post

1 Like
Reply