Sep 27 2022 08:22 AM
I'm looking to understand the best practice for handling potential duplicate SIEM log entries with MDI and MDCA enabled.
The MDCA documentation MDCA SIEM Integration suggests that duplicate entries will be created with different IDs.
Can they run side by side or do I have to choose one source over another?
Does using Sentinel provide additional options to merge or suppress duplicate entries that at third party SIEM like Splunk doesn't?
Sep 27 2022 09:02 AM
SolutionSep 28 2022 08:43 AM
@GaryB_Reply if using 2 different sources it's definitely possible to see duplicates. Is there a particular reason that your wanting to use both is it a difference in the data?
You might also consider the streaming API in M365D which should aggregate all the events together and they could be consumed from an EventHub to your SIEM.
Sep 28 2022 09:19 AM
Sep 27 2022 09:02 AM
Solution