Defender Experts | Sentinel Automation based on Defender Experts Notifications (DENs)

Based on invaluable customer feedback, we're rolling out the first installment of our Defender Experts “cookbook”—a guide to enhance your experience with Sentinel automation based on Defender Experts Notifications (DENs). This customer-driven initiative reflects the importance our customers place on efficient SIEM automation to manage their operations effectively. This guide is a direct response to your insights. Think of it as a recipe book tailored to maximize the power of Defender Experts services. From optimizing DENs for automation to sharing pro tips, the guide is a collaborative effort to fortify our collective defense against evolving cyber threats.

 

This collaborative effort reflects our commitment to transforming customer input into actionable solutions, with each new “recipe” empowering customers to navigate the complexities of the cybersecurity terrain with the confidence that Microsoft Defender Experts have their back. We encourage users to experiment with these insights and share their experiences, contributing to an ongoing dialogue that strengthens collective defenses against evolving cyber threats. Your success and protection against advanced threats is at the heart of our mission, and we look forward to continuing this collaborative journey together.

 

Defender Experts | Sentinel Automation – NEW Defender Experts Notifications

In order to configure automation rules based on NEW Defender Experts Notifications (DENs), follow the conditions below:   Select Trigger When Incident is Created Select If Incident provider Equals Microsoft Defender XDR AND Select Title Contains Defender Experts   Configure the relevant Actions you would like to enable based on the conditions selected above. For example, you can select a specific playbook to run or assign a particular owner to the Incident.   Screenshot of Sentinel Automation Rule Trigger and Conditions based on NEW Incidents issued as DENs

 

Defender Experts | Sentinel Automation – EXISTING Incidents that are upgraded to DENs

In order to configure automation rules based on EXISTING Incidents that are upgraded to Defender Experts Notifications (DENs), follow the conditions below:   Select Trigger When Incident is Updated Select If Incident provider Equals Microsoft Defender XDR AND Select Alerts Added AND Select Title Contains Defender Experts   Configure the relevant Actions you would like to enable based on the conditions selected above. For example, you can select a specific playbook to run or assign a particular owner to the Incident.   Screenshot of Sentinel Automation Rule Trigger and Conditions based on EXISTING Incidents Upgraded to DENs