Forum Discussion
Solved
Automation rules on Microsoft Defender Connector
Hi guys,
Just configured the "Microsoft 365 Defender (Preview)" connector within Sentinel which automatically receives alerts from Defender for Endpoint and MCAS. Is there anyway to auto supress alerts with automation rules? I receive an alert which I do not need in Sentinel (but customer want the alert), but I cannot see an option for automation rules since it does not have a analytic rule.
Closing it with a Playbook or something liek that would work, but I am curious if peopel use different solutions.
Cheers!
- In order to close MDE alerts, select 'All' for the Analytic Rule filter and use Microsoft Product or title conditions to run your rules
4 Replies
- Rod_Trent
Microsoft
You can use an Automation Rule to auto-close the Incident. Otherwise, you would need to tune MDE or MCAS to not send the alert.- Doesn't that need to be linked to an analytic rule? or do they run also without?
- In order to close MDE alerts, select 'All' for the Analytic Rule filter and use Microsoft Product or title conditions to run your rules
