Forum Discussion
SOAR - Automatically closing incidents from Microsoft Defender for Office
Hi All, I am trying to leverage Microsoft Sentinel's SOAR capabilities to automatically close false positive alerts from Microsoft Defender for Office. The particular policy I want to address now...
Thank you KM-Neotiss,
This alert is from an inbuilt policy in MDO, I am not able to modify it, that is why I am resorting to dealing with it from Sentinel.
This alert is from an inbuilt policy in MDO, I am not able to modify it, that is why I am resorting to dealing with it from Sentinel.
Hi LeenoldTN ,
Even if you have built in alert you can disable this particular alert, but you will need to create a new rule using the KQL Query.
I done same with the "forwarding alert" (allowing internal forwarding alert where i first wanted to "autoclose it")
But why creating a workaroud when you're able to make a more accurate rule?