This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Office365 Feed API is creating duplicate entries in Chronicle

Posted on 08-07-2024 08:23 PM
srijankafle
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Team,

We are utilizing Chronicle Feed to ingest Office 365 logs. We have integrated Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, and DLP.All as the sources. We are seeing duplicate entries of the authentication logs. This was verified as logs with same raw log (all characters) and same value in metadata.product_log_id is repeated  2-3 times on average (up to 16 times) increasing false positives and data misrepresentation on the dashboard. 

Has someone discovered this issue and if yes is there any solution to this?

1 1 132
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Hello, 

Assuming this is configured as a feed?  From time to we do get duplicates and need to adjust timings.  Please open a support case with the feed ID’s in question and they will prioritize as a bug fix.  

0 Likes
Top Solution Authors
View all