Forum Discussion

Cybermscommunityhub's avatar
Cybermscommunityhub
Copper Contributor
Feb 27, 2024

Identifying incidents that have been closed by automated investigations

Is it possible to identify security incidents in Microsoft Sentinel which have been closed automatically after one of the Defender/Microsoft products has carried out an automated investigation and closed the incident?


It doesn’t look like there are any tags added to these incidents when that happens and the “AIR” option in the Automation rule section in Sentinel also doesn’t appear to work. 

 

  • G_Wilson3468's avatar
    G_Wilson3468
    Iron Contributor

    Cybermscommunityhub 

    I would start with something like this:
    SecurityIncident
    | where Status == "Closed"
    | where TimeGenerated > ago(1d) 

    | where tostring(AdditionalData.alertProductNames) contains "Microsoft Defender"
    | project ModifiedBy, IncidentNumber, Title, Description, Status

     

    You could then modify this to look for certain services. 

     

    Hope this helps

     

    G.

Resources