cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft re-opening and re-closing Incidents in Sentinel

ElisabethSN
Copper Contributor

‎Sep 07 2022 04:16 AM

‎Sep 07 2022 04:16 AM

Microsoft re-opening and re-closing Incidents in Sentinel

Hey, so we have experienced several times MS re-opening incidents in Sentinel that one of our analysts have already closed. And then also re-closing it, but I'll get to that. 
When re-opening a Sentinel Incident, I have two feature requests:
  • Somehow keeping the original closing comment so that if we are re-investigating we can see what was already done and concluded.
  • Secondly, that there is an explanation as to why it was reopened.
Please let me know, if these already exist and where. 
We also experience these re-opened incidents being re-closed again ( with no apparent explanation) but with the original analyst from our team, put as the closer with their original closing comment but at the new timestamp. I guess this happens because the incident was wrongly re-opened in the first case and therefor someone from MS attempts to revert the changes. However when searching the logs in kql, we find records stating our analyst closed it again which is false. MS closed it again. For us as an MSSP it is important the records of when we updated Sentinel Incidents are accurate. So if MS opens or closes an Incident, I would expect that to be reflected in the records, for example "Closed by Microsoft". 

The latest example of an incident reopened was titled: "Initial Access Incident on one endpoint reported by multiple sources" and is not generated by a Sentinel Analytics rule, but comes from M365. So maybe there is an issue in the integration between those. 
 
Labels:
2,050 Views
0 Likes
4 Replies
Reply
4 Replies
GBushey

‎Sep 12 2022 09:34 AM

‎Sep 12 2022 09:34 AM

Re: Microsoft re-opening and re-closing Incidents in Sentinel

For your feature requests, go to https://feedback.azure.com/d365community/forum/37638d17-0625-ec11-b6e6-000d3a4f07b8# and add your requests.

For the items that are being reclosed, are they originating from other Azure Security products? It could be they are closed in the other system, which is then pushing the fact it is closed into Microsoft Sentinel.
0 Likes
Reply
ElisabethSN

‎Sep 13 2022 01:49 AM

‎Sep 13 2022 01:49 AM

Re: Microsoft re-opening and re-closing Incidents in Sentinel

Hey GBushey, thanks for the answer! I have now created the feature request, thanks for the reference.

They are in fact originating from Microsoft Defender 365- But why would a ticket closed in Sentinel, be re-opened in the scenario you are describing?

I understand the scenario of an open Sentinel Incident being closed by MS Automation as part of the bidirectional synch, if the incident is closed from Microsoft Defender 365.
0 Likes
Reply
Nidhal_Ferchichi

‎Sep 11 2023 01:49 PM

‎Sep 11 2023 01:49 PM

Re: Microsoft re-opening and re-closing Incidents in Sentinel

Hi Gary,
Could you share the correct link to submit our feedback.
Do you have any ETA to get this issue resolved ?
0 Likes
Reply
GBushey

‎Sep 13 2023 05:41 AM

‎Sep 13 2023 05:41 AM

Re: Microsoft re-opening and re-closing Incidents in Sentinel

That link is still working. If you are still experiencing this issue, I would recommend opening a ticket with MS so they can take a look at your environment to get a better idea what is happening.
1 Like
Reply