Forum Discussion
NCreminder
Jul 19, 2022Copper Contributor
defender incidents are automatically re-opening
Hi,
Recently, I've observed that defender incidents are automatically changing the status from Resolved to Active. When I checked the comments on the incident, I can clearly see that automation is changing the status of the incident from Resolved to Active. Is anyone experiencing the same issue or has any idea why is it happening? Thanks in advance!
FYI, please see below how the incident status is changed in the comments section of the incident,
Automation
Status changed from 'Resolved' to 'Active' following reopening of alert "XXXXXXXX"
Jul XX, 2022 9:XX:00 AM
- HeikeRitter
Microsoft
Hi,
can you explain more about it please. Who is first resolving the incident? Manually done before the automation starts its investigation?- NCreminderCopper ContributorFirst, I closed the incident manually, and then the incident is automatically re-opened by automation. (please note that in this whole process of closing and re-opening incidents, I don't see the AIR(Automation Investigation & Remediation) kicked in and doing something to the incident - Basically, there is no sign of Automation investigation triggered in the incident )
- Gerson LevitzIron ContributorWhen the Incident is re-opened are all of the alerts still closed / resolved?
- Sean_TickleCopper Contributor
HeikeRitterI'm also experiencing this issue recently.
The alerts are sent into Sentinel via the Defender 365 connector and are closed on the Sentinel side, which i can then see is reopened several minutes later by automation in the Defender portal itself.
I've attached a screenshot below, they all pretty much follow the same problem.
Any ways of getting around this?