defender incidents are automatically re-opening

Occasional Contributor

Hi,

 

Recently, I've observed that defender incidents are automatically changing the status from Resolved to Active.  When I checked the comments on the incident, I can clearly see that automation is changing the status of the incident from Resolved to Active. Is anyone experiencing the same issue or has any idea why is it happening? Thanks in advance!

FYI, please see below how the incident status is changed in the comments section of the incident,

 

Automation

Status changed from 'Resolved' to 'Active' following reopening of alert "XXXXXXXX"
Jul XX, 2022 9:XX:00 AM
9 Replies
Hi,

can you explain more about it please. Who is first resolving the incident? Manually done before the automation starts its investigation?

@Heike RitterI'm also experiencing this issue recently.

 

The alerts are sent into Sentinel via the Defender 365 connector and are closed on the Sentinel side, which i can then see is reopened several minutes later by automation in the Defender portal itself.

I've attached a screenshot below, they all pretty much follow the same problem.

Sean_Tickle_0-1659600228468.png

 

Any ways of getting around this?

 

First, I closed the incident manually, and then the incident is automatically re-opened by automation. (please note that in this whole process of closing and re-opening incidents, I don't see the AIR(Automation Investigation & Remediation) kicked in and doing something to the incident - Basically, there is no sign of Automation investigation triggered in the incident )
When the Incident is re-opened are all of the alerts still closed / resolved?
those are marked as new after they are re-opened
Just to clarify are all the alerts in the Incident marked as "new" after the incident is re-opened?

Are there any new alerts that have been added / updated the same time the incident was re-opened?

@Gerson Levitz my tickets are flipping back into in progress.

 

@Heike Ritter or @Gerson Levitz do I need to open a different ticket here or is this issue being dealt with jointly?

as one incident is a group of alert/alerts - so once the incident in question is re-opened, then the alert is also re-opened.
And answer to your next question is NO - there were no new alerts added/updated to the same incident.
I would open a support case so this can be looked into in more details.