We have multiple collectors, in our corporate network and in our cloud environments. We are ingesting cloud-sourced events from cloud provider (AWS) and MFA provider and O365 and ATP. We’d like to make sure that data sources are more or less always available but without SWAMPING the IDR backend. So if, say AWS has a problem or outage, the other collector can still ingest event source data, and vice versa.
Alternatively, Is the IDR backend smart enough to recognize duplicates and to de-duplicate?
Hi Thomas,
we do not have any de-duplication across cloud event sources today. The only event source we de-duplicate today is LDAP, as that simply polls for user account information from your AD Servers.
If you were to have two copies of the same event source running at once we would collect double the data and processes every event twice, what you are requesting has come up before as an enhancement request to have High Availability built into the collectors and event source configurations, however it is not on our roadmap at present.
David