Nov 01 2022 05:32 AM
Are there some statistics available to expect the operating pressure will increase by enabling features of MDCA?
Of course, the reality depends on many other variables, but especially routing the defence log towards MDCA to have in-depth insight in behaviour could create an enormous amount of incidents, which must normalize in the beginning to remove false positives.
To prepare my SOC team, I hope some guidance or basics are available.
Nov 01 2022 07:06 AM
Hi @RVC,
As you said this can vary quite a bit based on a bunch of different factors.
One thing we've recently announced is that Defender for Cloud Apps will be moving to Microsoft 365 Defender. To start I would recommend getting familiar with Incidents there as alerts from Cloud Apps will feed in here. The good news is that they can also be correlated with alerts across services to provide higher fidelity incidents, so looking at multi-stage incidents in M365D first can help to reduce some of the noise.