Forum Discussion
SOAR - Automatically closing incidents from Microsoft Defender for Office
Hi All, I am trying to leverage Microsoft Sentinel's SOAR capabilities to automatically close false positive alerts from Microsoft Defender for Office. The particular policy I want to address now...
Hello LeenoldTN,
Indeed you can create an "auto close", it's smarter to update the rule that create the alert to be more accurate according to your policy.
It will reduce cost and give you cleaner reports on incidents and SLA (and other kind of link that could be revelent as linked alerts)
Exept if you're not sure and prefer to autoclose and keep links in case of investigations. 😀
Thank you KM-Neotiss,
This alert is from an inbuilt policy in MDO, I am not able to modify it, that is why I am resorting to dealing with it from Sentinel.
This alert is from an inbuilt policy in MDO, I am not able to modify it, that is why I am resorting to dealing with it from Sentinel.
Hi LeenoldTN ,
Even if you have built in alert you can disable this particular alert, but you will need to create a new rule using the KQL Query.
I done same with the "forwarding alert" (allowing internal forwarding alert where i first wanted to "autoclose it")
But why creating a workaroud when you're able to make a more accurate rule?