SOLVED

Automation rules on Microsoft Defender Connector

%3CLINGO-SUB%20id%3D%22lingo-sub-2466011%22%20slang%3D%22en-US%22%3EAutomation%20rules%20on%20Microsoft%20Defender%20Connector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2466011%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20configured%20the%20%22%3CSPAN%3EMicrosoft%20365%20Defender%20(Preview)%22%20connector%20within%20Sentinel%20which%20automatically%20receives%20alerts%20from%20Defender%20for%20Endpoint%20and%20MCAS.%20Is%20there%20anyway%20to%20auto%20supress%20alerts%20with%20automation%20rules%3F%20I%20receive%20an%20alert%20which%20I%20do%20not%20need%20in%20Sentinel%20(but%20customer%20want%20the%20alert)%2C%20but%20I%20cannot%20see%20an%20option%20for%20automation%20rules%20since%20it%20does%20not%20have%20a%20analytic%20rule.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EClosing%20it%20with%20a%20Playbook%20or%20something%20liek%20that%20would%20work%2C%20but%20I%20am%20curious%20if%20peopel%20use%20different%20solutions.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3ECheers!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2466058%22%20slang%3D%22en-US%22%3ERe%3A%20Automation%20rules%20on%20Microsoft%20Defender%20Connector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2466058%22%20slang%3D%22en-US%22%3EYou%20can%20use%20an%20Automation%20Rule%20to%20auto-close%20the%20Incident.%20Otherwise%2C%20you%20would%20need%20to%20tune%20MDE%20or%20MCAS%20to%20not%20send%20the%20alert.%3C%2FLINGO-BODY%3E
New Contributor

Hi guys,

 

Just configured the "Microsoft 365 Defender (Preview)" connector within Sentinel which automatically receives alerts from Defender for Endpoint and MCAS. Is there anyway to auto supress alerts with automation rules? I receive an alert which I do not need in Sentinel (but customer want the alert), but I cannot see an option for automation rules since it does not have a analytic rule.

 

Closing it with a Playbook or something liek that would work, but I am curious if peopel use different solutions.


Cheers!

4 Replies
You can use an Automation Rule to auto-close the Incident. Otherwise, you would need to tune MDE or MCAS to not send the alert.
Doesn't that need to be linked to an analytic rule? or do they run also without?
best response confirmed by mschcomm (New Contributor)
Solution
In order to close MDE alerts, select 'All' for the Analytic Rule filter and use Microsoft Product or title conditions to run your rules

@Thijs Lecomte Thanks Thijs! I totally missed the fact that you could use it without a specific rule.