hi @mccrilb thanks for reaching out, i know there were some changes to the ms graph security integration recently, i will ask the team to check additionally

Hey, following up on this ticket - our team will work on the fix, we will push to address it in the next closest releases.

Hi @Dmitry_Sarakeev - Is there any news on when this update will occur?

Hey @_eo ,

Just confirmed internally that this change wasn't released. Putting it into our backlog for March/April.

In the meantime, what kind of information are you planning to ingest? We have other integrations with Microsoft stack, so potentially there is a solution in those integrations for your use case.

Thanks for the update. We are using the M365 Defender connector and the Office365 Security and Compliance connector. We are filtering out alert service sources in the M365 Defender connector as we see duplicates when using both connectors mentioned above. Office365 S&C tends to provide better/more information compared to the same alert when ingested with M365 Defender. Does Google have a recommendation on what integrations to use for the MS stack?

Overall, M365 Defender is better for M365 Defender alerts, because it will try to group alerts from the same incident under the same case.

Also, it supports ability to track updates to alerts (for example, if a new artifact was added to the alert). This can be enabled/disable, because sometimes it's too noisy and currently, the only way to get updates is to create a new SecOps alert.

But it depends on the use case, we tend to not strip any data from 3rd party products, so if you see that one connector doesn't return good enough info, it can be tied to the limitations of that particular API.