cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Approve pending actions in Microsoft 365 Defender

slaimer
Copper Contributor

‎Dec 14 2021 03:26 AM

‎Dec 14 2021 03:26 AM

Approve pending actions in Microsoft 365 Defender

Hello,

we are managing Sentinel deployments for customers.

The Sentinel deployments are managed via Azure Lighthouse, so we see all deployments/incidents in one place.

This way we also never login directly to the customers tenant.

 

Microsoft 365 Defender integration with Sentinel is enabled to synchronize incidents/alerts/events.

The incident sync works fine, but we face the problem on how to approve investigations (as we do not login to the customers security.microsoft.com).

Is there a way to approve Microsoft 365 Defender investigations (especially MDO) directly from Sentinel with a playbook?

 

Regards

 

1,587 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by slaimer (Copper Contributor)
Gary Bushey

‎Dec 15 2021 04:41 AM

‎Dec 15 2021 04:41 AM

Solution

Re: Approve pending actions in Microsoft 365 Defender

@slaimer There does not appear to be a way in a playbook (nor a REST API that can be called) that will update an investigation.  Seems strange since you can do so many other commands like list and cancel an action. 

 

Looks like the best you could is to start a new investigation that would not require approval and cancel the original one.  Not a great solution overall though.

0 Likes
Reply
slaimer

‎Dec 15 2021 01:54 PM

‎Dec 15 2021 01:54 PM

Re: Approve pending actions in Microsoft 365 Defender

Hello @Gary Bushey, thank you for your response.
Are you referring to this commands? https://docs.microsoft.com/en-us/graph/api/resources/securityaction

0 Likes
Reply
Gary Bushey

‎Dec 16 2021 06:31 AM

‎Dec 16 2021 06:31 AM

Re: Approve pending actions in Microsoft 365 Defender

Yes. I could not find any other ones.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by slaimer (Copper Contributor)
Gary Bushey

‎Dec 15 2021 04:41 AM

‎Dec 15 2021 04:41 AM

Solution

Re: Approve pending actions in Microsoft 365 Defender

@slaimer There does not appear to be a way in a playbook (nor a REST API that can be called) that will update an investigation.  Seems strange since you can do so many other commands like list and cancel an action. 

 

Looks like the best you could is to start a new investigation that would not require approval and cancel the original one.  Not a great solution overall though.

View solution in original post

0 Likes
Reply