Forum Discussion

Copper Contributor

Sep 30, 2024

Automation rule based on a specific Security Alert

Dear Community, is it possible to apply automation rules on particular Security Alerts? I have created an automation flow that disable a compromised User on Azure AD / onPrem AD and send a mail ...

Brass Contributor

Oct 01, 2024

Hi lucabergonzoni,

Yes you can apply automation rule to specific alert none the less if security alert is generating from Identity Protection.

Thanks 🙂

Copper Contributor

Oct 03, 2024

Dear Ankit,.

can you please explain me how can I do that?

When I create the new automation rule, I cannot select the "Security Alert" family in the conditions.

I want to create an automation rule that occures everytime I hit the Security Alert "User compromised in AiTM phishing attack".

Thank you!
Luca

Ankit
Brass Contributor
Oct 03, 2024
Hi,

I'd be happy to help you with creating an automation rule that triggers on a specific Security Alert.
Trigger and Conditions

To create an automation rule that occurs every time you hit a specific Security Alert, you need to select the correct trigger and conditions.

You should select the When an Incident is created trigger and then define the conditions using the Analytic rule name property.

Why "Security Alert" Family is Not Available

As these alerts are generated by Defender for Endpoint that's the reason these are not showing in SecurityAlerts table as like alerts being generated by Identity Protection.

Solution:

You have to create an scheduled or NRT analytic rule so that you can select that in condition.
Select the When an alert is created trigger.
Add a condition using the Analytic rule name property.
Select Contains as the operator.
Enter the exact name of the Security Incident you want to trigger the automation rule, such as "User compromised in AiTM phishing attack".

Let me know if you have any question.

Thanks

Resources