Hi Team,
We are utilizing Chronicle Feed to ingest Office 365 logs. We have integrated Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, and DLP.All as the sources. We are seeing duplicate entries of the authentication logs. This was verified as logs with same raw log (all characters) and same value in metadata.product_log_id is repeated 2-3 times on average (up to 16 times) increasing false positives and data misrepresentation on the dashboard.
Has someone discovered this issue and if yes is there any solution to this?
