cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Identifying incidents that have been closed by automated investigations

Cybermscommunityhub
Copper Contributor

‎Feb 27 2024 11:49 AM

‎Feb 27 2024 11:49 AM

Identifying incidents that have been closed by automated investigations

Is it possible to identify security incidents in Microsoft Sentinel which have been closed automatically after one of the Defender/Microsoft products has carried out an automated investigation and closed the incident?


It doesn’t look like there are any tags added to these incidents when that happens and the “AIR” option in the Automation rule section in Sentinel also doesn’t appear to work. 

 

Labels:
510 Views
0 Likes
1 Reply
Reply
1 Reply
Gregory_Wilson3468

‎Mar 01 2024 04:55 AM

‎Mar 01 2024 04:55 AM

Re: Identifying incidents that have been closed by automated investigations

@Cybermscommunityhub 

I would start with something like this:
SecurityIncident
| where Status == "Closed"
| where TimeGenerated > ago(1d) 

| where tostring(AdditionalData.alertProductNames) contains "Microsoft Defender"
| project ModifiedBy, IncidentNumber, Title, Description, Status

 

You could then modify this to look for certain services. 

 

Hope this helps

 

G.

0 Likes
Reply