Forum Discussion

Copper Contributor

Jul 19, 2022

defender incidents are automatically re-opening

Hi, Recently, I've observed that defender incidents are automatically changing the status from Resolved to Active. When I checked the comments on the incident, I can clearly see that automation ...

microsoft defender for office 365

HeikeRitter

Microsoft

Jul 22, 2022

Hi,

can you explain more about it please. Who is first resolving the incident? Manually done before the automation starts its investigation?

NCreminder

Copper Contributor

Aug 04, 2022

First, I closed the incident manually, and then the incident is automatically re-opened by automation. (please note that in this whole process of closing and re-opening incidents, I don't see the AIR(Automation Investigation & Remediation) kicked in and doing something to the incident - Basically, there is no sign of Automation investigation triggered in the incident )

Gerson Levitz
Iron Contributor
Aug 05, 2022
When the Incident is re-opened are all of the alerts still closed / resolved?
- NCreminder
  Copper Contributor
  Aug 05, 2022
  those are marked as new after they are re-opened
  - Gerson Levitz
    Iron Contributor
    Aug 05, 2022
    Just to clarify are all the alerts in the Incident marked as "new" after the incident is re-opened?
    
    Are there any new alerts that have been added / updated the same time the incident was re-opened?