@DJB This probably depends on the SIEM solution. Usually what happens is that both services are being ingested with different connectors or whatever they're called for your SIEM. In that sense, the SIEM needs to be able to determine that it's the same alert if both alerts come in via a different route.
Thanks for the reply! Appreciated. Our MCAS deployment is in the early stages - will do some further analysis on what the SIEM ingests and how it's presented.
