Dec 14 2021 03:26 AM
Hello,
we are managing Sentinel deployments for customers.
The Sentinel deployments are managed via Azure Lighthouse, so we see all deployments/incidents in one place.
This way we also never login directly to the customers tenant.
Microsoft 365 Defender integration with Sentinel is enabled to synchronize incidents/alerts/events.
The incident sync works fine, but we face the problem on how to approve investigations (as we do not login to the customers security.microsoft.com).
Is there a way to approve Microsoft 365 Defender investigations (especially MDO) directly from Sentinel with a playbook?
Regards
Dec 15 2021 04:41 AM
Solution@slaimer There does not appear to be a way in a playbook (nor a REST API that can be called) that will update an investigation. Seems strange since you can do so many other commands like list and cancel an action.
Looks like the best you could is to start a new investigation that would not require approval and cancel the original one. Not a great solution overall though.
Dec 15 2021 01:54 PM
Hello @Gary Bushey, thank you for your response.
Are you referring to this commands? https://docs.microsoft.com/en-us/graph/api/resources/securityaction
Dec 16 2021 06:31 AM
Dec 15 2021 04:41 AM
Solution@slaimer There does not appear to be a way in a playbook (nor a REST API that can be called) that will update an investigation. Seems strange since you can do so many other commands like list and cancel an action.
Looks like the best you could is to start a new investigation that would not require approval and cancel the original one. Not a great solution overall though.