Forum Discussion

NCreminder's avatar
NCreminder
Copper Contributor
Jul 19, 2022

defender incidents are automatically re-opening

Hi,

 

Recently, I've observed that defender incidents are automatically changing the status from Resolved to Active.  When I checked the comments on the incident, I can clearly see that automation is changing the status of the incident from Resolved to Active. Is anyone experiencing the same issue or has any idea why is it happening? Thanks in advance!

FYI, please see below how the incident status is changed in the comments section of the incident,

 

Automation

Status changed from 'Resolved' to 'Active' following reopening of alert "XXXXXXXX"
Jul XX, 2022 9:XX:00 AM
  • Hi,

    can you explain more about it please. Who is first resolving the incident? Manually done before the automation starts its investigation?
    • NCreminder's avatar
      NCreminder
      Copper Contributor
      First, I closed the incident manually, and then the incident is automatically re-opened by automation. (please note that in this whole process of closing and re-opening incidents, I don't see the AIR(Automation Investigation & Remediation) kicked in and doing something to the incident - Basically, there is no sign of Automation investigation triggered in the incident )
      • Gerson Levitz's avatar
        Gerson Levitz
        Iron Contributor
        When the Incident is re-opened are all of the alerts still closed / resolved?
    • Sean_Tickle's avatar
      Sean_Tickle
      Copper Contributor

      HeikeRitterI'm also experiencing this issue recently.

       

      The alerts are sent into Sentinel via the Defender 365 connector and are closed on the Sentinel side, which i can then see is reopened several minutes later by automation in the Defender portal itself.

      I've attached a screenshot below, they all pretty much follow the same problem.

       

      Any ways of getting around this?

       

Resources