Forum Discussion

mschcomm's avatar
mschcomm
Copper Contributor
Jun 21, 2021
Solved

Automation rules on Microsoft Defender Connector

Hi guys,   Just configured the "Microsoft 365 Defender (Preview)" connector within Sentinel which automatically receives alerts from Defender for Endpoint and MCAS. Is there anyway to auto supress ...
  • Thijs Lecomte's avatar
    Thijs Lecomte
    Jun 21, 2021
    In order to close MDE alerts, select 'All' for the Analytic Rule filter and use Microsoft Product or title conditions to run your rules
Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Jun 21, 2021
You can use an Automation Rule to auto-close the Incident. Otherwise, you would need to tune MDE or MCAS to not send the alert.
  • mschcomm's avatar
    mschcomm
    Copper Contributor
    Jun 21, 2021
    Doesn't that need to be linked to an analytic rule? or do they run also without?
    • Thijs Lecomte's avatar
      Thijs Lecomte
      Bronze Contributor
      Jun 21, 2021
      In order to close MDE alerts, select 'All' for the Analytic Rule filter and use Microsoft Product or title conditions to run your rules
      • mschcomm's avatar
        mschcomm
        Copper Contributor
        Jun 21, 2021

        Thijs Lecomte Thanks Thijs! I totally missed the fact that you could use it without a specific rule.

         

Resources