Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Automation and Metrics

Iron Contributor

Hi All

 

I am trying (and failing) to look for a way to pull some information that will show (by example) 

 

Number of Security Alerts

Number of Security Incidents

 

And then a pivot that says - X were created but Y were auto closed due to sentinel automation rules.  Is this something someone has already done or considered.  tks in advance 

3 Replies
Do you have any way to determine which rules were closed automatically? Are you adding a tag, a comment, or a closing comment? Those would probably be some of the easier ways to determine which ones were closed automatically and then it shouldn't be too hard to get what you need.
Cheers Gary - I was hoping to be able to grab the metadata - or similar that is appended to it when updated. Yes there is a closing comment but no tag - but will push that aspect also. Assumption being that will then make it possible to do some stats ....
Sadly there is nothing that is automatically added to let you know the incident was modified by a playbook, you would need to add that yourself.