Hey, so we have experienced several times MS re-opening incidents in Sentinel that one of our analysts have already closed. And then also re-closing it, but I'll get to that.
When re-opening a Sentinel Incident, I have two feature requests:
Somehow keeping the original closing comment so that if we are re-investigating we can see what was already done and concluded.
Secondly, that there is an explanation as to why it was reopened.
Please let me know, if these already exist and where.
We also experience these re-opened incidents being re-closed again ( with no apparent explanation) but with the original analyst from our team, put as the closer with their original closing comment but at the new timestamp. I guess this happens because the incident was wrongly re-opened in the first case and therefor someone from MS attempts to revert the changes. However when searching the logs in kql, we find records stating our analyst closed it again which is false. MS closed it again. For us as an MSSP it is important the records of when we updated Sentinel Incidents are accurate. So if MS opens or closes an Incident, I would expect that to be reflected in the records, for example "Closed by Microsoft".
The latest example of an incident reopened was titled: "Initial Access Incident on one endpoint reported by multiple sources" and is not generated by a Sentinel Analytics rule, but comes from M365. So maybe there is an issue in the integration between those.
For the items that are being reclosed, are they originating from other Azure Security products? It could be they are closed in the other system, which is then pushing the fact it is closed into Microsoft Sentinel.