Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

SOC impact of enabling MDCA full scope


Are there some statistics available to expect the operating pressure will increase by enabling features of MDCA?  


Of course, the reality depends on many other variables, but especially routing the defence log towards MDCA to have in-depth insight in behaviour could create an enormous amount of incidents, which must normalize in the beginning to remove false positives.


To prepare my SOC team, I hope some guidance or basics are available.

1 Reply

Hi @RVC,

As you said this can vary quite a bit based on a bunch of different factors.


One thing we've recently announced is that Defender for Cloud Apps will be moving to Microsoft 365 Defender.  To start I would recommend getting familiar with Incidents there as alerts from Cloud Apps will feed in here.  The good news is that they can also be correlated with alerts across services to provide higher fidelity incidents, so looking at multi-stage incidents in M365D first can help to reduce some of the noise.