SOLVED

Best Practice to handle duplicate SIEM log entries from MDCA and MDI

Copper Contributor

I'm looking to understand the best practice for handling potential duplicate SIEM log entries with MDI and MDCA enabled.

 

The MDCA documentation MDCA SIEM Integration suggests that duplicate entries will be created with different IDs.

 

Can they run side by side or do I have to choose one source over another?

Does using Sentinel provide additional options to merge or suppress duplicate entries that at third party SIEM like Splunk doesn't?

3 Replies
best response confirmed by GaryB_Reply (Copper Contributor)
Solution
I can speak for the Sentinel side - yes, Sentinel has capability built-in to manage potential duplicate alerts. Plus, the Defender alerts are free for Sentinel customers.

@GaryB_Reply if using 2 different sources it's definitely possible to see duplicates. Is there a particular reason that your wanting to use both is it a difference in the data?

 

You might also consider the streaming API in M365D which should aggregate all the events together and they could be consumed from an EventHub to your SIEM.

@Keith_Fleming We are looking to use MDI on premise and MDCA to manage cloud app usage and the documentation warns that duplicates will happen but doesn't give a clear guide how to resolve or best practice for choosing one over the other. If the data is being fed into the Defender 365 portal from both sources and then onto a SIEM rather than individual feeds from MDI and MDCA would that mitigate the problem?
1 best response

Accepted Solutions
best response confirmed by GaryB_Reply (Copper Contributor)
Solution
I can speak for the Sentinel side - yes, Sentinel has capability built-in to manage potential duplicate alerts. Plus, the Defender alerts are free for Sentinel customers.

View solution in original post