Forum Discussion
Cybermscommunityhub
Feb 27, 2024Copper Contributor
Identifying incidents that have been closed by automated investigations
Is it possible to identify security incidents in Microsoft Sentinel which have been closed automatically after one of the Defender/Microsoft products has carried out an automated investigation and cl...
G_Wilson3468
Mar 01, 2024Iron Contributor
I would start with something like this:
SecurityIncident
| where Status == "Closed"
| where TimeGenerated > ago(1d)
| where tostring(AdditionalData.alertProductNames) contains "Microsoft Defender"
| project ModifiedBy, IncidentNumber, Title, Description, Status
You could then modify this to look for certain services.
Hope this helps
G.