I’m evaluating integration approaches for ingesting alerts from Microsoft Defender for Endpoint (MDE) into Google SecOps and facing challenges with both SIEM and SOAR options. With Google SecOps SIEM: MDE alerts and their evidences are ingested as individual events rather than a single alert/incident This requires building additional detection rules to stitch events back together Due to high alert volume from MDE, suppression via SIEM detection rules becomes difficult to manage With Google SecOps SOAR: Using the MDE connector results in 1 alert = 1 case (e.g., 1000 alerts/day → 1000 cases) There is no pre-ingestion suppression/filtering mechanism Any update to an alert (e.g., assignment change) generates a new alert in SOAR, leading to duplication Key Questions: What is the recommended architecture for integrating MDE with Google SecOps? Is SIEM-based ingestion preferred over SOAR, or a hybrid approach? How do you handle alert suppression and deduplication at scale? Are there best practices to preserve alert context without rebuilding everything in SIEM? Would appreciate insights from anyone who has implemented this at scale.

ChallengeSIEM (Event-Based)SOAR (Case-Based)Hybrid (Recommended)StitchingManual Rules RequiredAutomatic via ConnectorAPI-Driven via Incident IDVolumeHigh (Hard to suppress)High (Case Fatigue)Low (Aggregated Stories)ContextFragmented EvidenceFull Alert Context

Question

Best Way to Integrate Microsoft Defender for Endpoint with Google SecOps (SIEM vs SOAR)?

Forum|Forum|3 months ago
March 20, 2026
4 replies
156 views

+3

soaruser
Bronze 1

I’m evaluating integration approaches for ingesting alerts from Microsoft Defender for Endpoint (MDE) into Google SecOps and facing challenges with both SIEM and SOAR options.

With Google SecOps SIEM:

MDE alerts and their evidences are ingested as individual events rather than a single alert/incident
This requires building additional detection rules to stitch events back together
Due to high alert volume from MDE, suppression via SIEM detection rules becomes difficult to manage

With Google SecOps SOAR:

Using the MDE connector results in 1 alert = 1 case (e.g., 1000 alerts/day → 1000 cases)
There is no pre-ingestion suppression/filtering mechanism
Any update to an alert (e.g., assignment change) generates a new alert in SOAR, leading to duplication

Key Questions:

What is the recommended architecture for integrating MDE with Google SecOps?
Is SIEM-based ingestion preferred over SOAR, or a hybrid approach?
How do you handle alert suppression and deduplication at scale?
Are there best practices to preserve alert context without rebuilding everything in SIEM?

Would appreciate insights from anyone who has implemented this at scale.

Heliosfloresempirellc43
Bronze 1
Forum|Forum|3 months ago
March 20, 2026

Challenge	SIEM (Event-Based)	SOAR (Case-Based)	Hybrid (Recommended)
Stitching	Manual Rules Required	Automatic via Connector	API-Driven via Incident ID
Volume	High (Hard to suppress)	High (Case Fatigue)	Low (Aggregated Stories)
Context	Fragmented Evidence	Full Alert Context

Heliodoro Flores

Like

+3

soaruser
Author
Bronze 1
Forum|Forum|3 months ago
March 20, 2026

I still believe using the below SOAR connector would be very easy compared to SIEM, but the only problem would be multiple numbers of cases will be generated (1 alert = 1 case e.g., 1000 alerts/day → 1000 cases).

Although I can auto-close using SOAR playbooks, but there is no built-in suppression feature in Google SecOps SOAR that can suppress before case creation in SOAR based on some conditions.

Microsoft Defender ATP Connector V2 SOAR Connector:

https://docs.cloud.google.com/chronicle/docs/soar/marketplace-integrations/microsoft-defender-atp#microsoft_defender_atp_connector_v2

Challenge	SIEM (Event-Based)	SOAR (Case-Based)	Hybrid (Recommended)
Stitching	Manual Rules Required	Automatic via Connector	API-Driven via Incident ID
Volume	High (Hard to suppress)	High (Case Fatigue)	Low (Aggregated Stories)
Context	Fragmented Evidence	Full Alert Context

Like

+14

AymanC
Bronze 5
Forum|Forum|3 months ago
March 22, 2026

Hi @soaruser,

You could raise a support ticket to google to implement some form of suppression, or duplicate and modify the connector code to suppress alerts based on a common identifier that works for your environment

Kind Regards,

Ayman

Like

+3

soaruser
Author
Bronze 1
Forum|Forum|3 months ago
March 22, 2026

Hi @AymanC

Thanks for your response. However, raising a support ticket can take quite a long time. Another concern is that if the connector gets updated in the future, a custom connector approach may introduce compatibility issues or errors.

Additionally, this solution will be specific to the MDE connector. If we have to handle similar requirements for other log sources going forward then it would be a lot manual work every time.

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded