Forum Discussion
NCreminder
Jul 19, 2022Copper Contributor
defender incidents are automatically re-opening
Hi, Recently, I've observed that defender incidents are automatically changing the status from Resolved to Active. When I checked the comments on the incident, I can clearly see that automation ...
HeikeRitter
Jul 22, 2022Microsoft
Hi,
can you explain more about it please. Who is first resolving the incident? Manually done before the automation starts its investigation?
can you explain more about it please. Who is first resolving the incident? Manually done before the automation starts its investigation?
- Sean_TickleAug 04, 2022Copper Contributor
HeikeRitterI'm also experiencing this issue recently.
The alerts are sent into Sentinel via the Defender 365 connector and are closed on the Sentinel side, which i can then see is reopened several minutes later by automation in the Defender portal itself.
I've attached a screenshot below, they all pretty much follow the same problem.
Any ways of getting around this?
- NCreminderAug 04, 2022Copper ContributorFirst, I closed the incident manually, and then the incident is automatically re-opened by automation. (please note that in this whole process of closing and re-opening incidents, I don't see the AIR(Automation Investigation & Remediation) kicked in and doing something to the incident - Basically, there is no sign of Automation investigation triggered in the incident )
- Gerson LevitzAug 05, 2022Iron ContributorWhen the Incident is re-opened are all of the alerts still closed / resolved?
- NCreminderAug 05, 2022Copper Contributorthose are marked as new after they are re-opened