Forum Discussion

slaimer's avatar
slaimer
Copper Contributor
Dec 14, 2021
Solved

Approve pending actions in Microsoft 365 Defender

Hello, we are managing Sentinel deployments for customers. The Sentinel deployments are managed via Azure Lighthouse, so we see all deployments/incidents in one place. This way we also never login...
  • GaryBushey's avatar
    GaryBushey
    Dec 15, 2021

    slaimer There does not appear to be a way in a playbook (nor a REST API that can be called) that will update an investigation.  Seems strange since you can do so many other commands like list and cancel an action. 

     

    Looks like the best you could is to start a new investigation that would not require approval and cancel the original one.  Not a great solution overall though.

GaryBushey's avatar
GaryBushey
Bronze Contributor
Dec 15, 2021

slaimer There does not appear to be a way in a playbook (nor a REST API that can be called) that will update an investigation.  Seems strange since you can do so many other commands like list and cancel an action. 

 

Looks like the best you could is to start a new investigation that would not require approval and cancel the original one.  Not a great solution overall though.

slaimer's avatar
slaimer
Copper Contributor
Dec 15, 2021

Hello GaryBushey, thank you for your response.
Are you referring to this commands? https://docs.microsoft.com/en-us/graph/api/resources/securityaction

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Dec 16, 2021
    Yes. I could not find any other ones.

Resources