This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Office365 Feed API is creating duplicate entries in Chronicle

Posted on 08-07-2024 08:23 PM
srijankafle
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Team,

We are utilizing Chronicle Feed to ingest Office 365 logs. We have integrated Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, and DLP.All as the sources. We are seeing duplicate entries of the authentication logs. This was verified as logs with same raw log (all characters) and same value in metadata.product_log_id is repeated  2-3 times on average (up to 16 times) increasing false positives and data misrepresentation on the dashboard. 

Has someone discovered this issue and if yes is there any solution to this?

1 1 133
Topic Labels
1 REPLY 1
Top Solution Authors
View all