I am currently working on the NSS & SIEM solution and have an enquiry regarding amount of subscription.
I read that one NSS is required for each type of log: NSS for Web & NSS for FW.
However, I would like to implement NSS for Sentinel, Splunk as well as MCAS.
My question would be, if I am required to have 2 NSS (incl. Web & Firewall) for each SIEM solution or if 2 NSS (incl. Web & Firewall) would be enough for all SIEM solutions as long as the feeds have been configured with correct IP Addressing and tcp connections have been established to each SIEM solution and all is on the same network.
Currently, I have 2 NSS deployed in Azure for each SIEM solution but with only 2 NSS Subscriptions showing all tcp connections, which is basically a multiple log duplication and NSS redundancy.
Solution would be to increase NSS subscriptions to 5. 2 NSS (Web & FW) for Sentinel, 2 NSS (Web & FW) for Splunk and 1 NSS (Web) for MCAS.
Hence: What is the preferred solution?
Any help highly appreciated!