Approve pending actions in Microsoft 365 Defender

New Contributor

Hello,

we are managing Sentinel deployments for customers.

The Sentinel deployments are managed via Azure Lighthouse, so we see all deployments/incidents in one place.

This way we also never login directly to the customers tenant.

 

Microsoft 365 Defender integration with Sentinel is enabled to synchronize incidents/alerts/events.

The incident sync works fine, but we face the problem on how to approve investigations (as we do not login to the customers security.microsoft.com).

Is there a way to approve Microsoft 365 Defender investigations (especially MDO) directly from Sentinel with a playbook?

 

Regards

 

3 Replies

@slaimer There does not appear to be a way in a playbook (nor a REST API that can be called) that will update an investigation.  Seems strange since you can do so many other commands like list and cancel an action. 

 

Looks like the best you could is to start a new investigation that would not require approval and cancel the original one.  Not a great solution overall though.

Hello @Gary Bushey, thank you for your response.
Are you referring to this commands? https://docs.microsoft.com/en-us/graph/api/resources/securityaction

Yes. I could not find any other ones.