I’m evaluating integration approaches for ingesting alerts from Microsoft Defender for Endpoint (MDE) into Google SecOps and facing challenges with both SIEM and SOAR options.
With Google SecOps SIEM:
- MDE alerts and their evidences are ingested as individual events rather than a single alert/incident
- This requires building additional detection rules to stitch events back together
- Due to high alert volume from MDE, suppression via SIEM detection rules becomes difficult to manage
With Google SecOps SOAR:
- Using the MDE connector results in 1 alert = 1 case (e.g., 1000 alerts/day → 1000 cases)
- There is no pre-ingestion suppression/filtering mechanism
- Any update to an alert (e.g., assignment change) generates a new alert in SOAR, leading to duplication
Key Questions:
- What is the recommended architecture for integrating MDE with Google SecOps?
- Is SIEM-based ingestion preferred over SOAR, or a hybrid approach?
- How do you handle alert suppression and deduplication at scale?
- Are there best practices to preserve alert context without rebuilding everything in SIEM?
Would appreciate insights from anyone who has implemented this at scale.
