Microsoft re-opening and re-closing Incidents in Sentinel

Copper Contributor
Hey, so we have experienced several times MS re-opening incidents in Sentinel that one of our analysts have already closed. And then also re-closing it, but I'll get to that. 
When re-opening a Sentinel Incident, I have two feature requests:
  • Somehow keeping the original closing comment so that if we are re-investigating we can see what was already done and concluded.
  • Secondly, that there is an explanation as to why it was reopened.
Please let me know, if these already exist and where. 
We also experience these re-opened incidents being re-closed again ( with no apparent explanation) but with the original analyst from our team, put as the closer with their original closing comment but at the new timestamp. I guess this happens because the incident was wrongly re-opened in the first case and therefor someone from MS attempts to revert the changes. However when searching the logs in kql, we find records stating our analyst closed it again which is false. MS closed it again. For us as an MSSP it is important the records of when we updated Sentinel Incidents are accurate. So if MS opens or closes an Incident, I would expect that to be reflected in the records, for example "Closed by Microsoft". 

The latest example of an incident reopened was titled: "Initial Access Incident on one endpoint reported by multiple sources" and is not generated by a Sentinel Analytics rule, but comes from M365. So maybe there is an issue in the integration between those. 
4 Replies
For your feature requests, go to and add your requests.

For the items that are being reclosed, are they originating from other Azure Security products? It could be they are closed in the other system, which is then pushing the fact it is closed into Microsoft Sentinel.
Hey GBushey, thanks for the answer! I have now created the feature request, thanks for the reference.

They are in fact originating from Microsoft Defender 365- But why would a ticket closed in Sentinel, be re-opened in the scenario you are describing?

I understand the scenario of an open Sentinel Incident being closed by MS Automation as part of the bidirectional synch, if the incident is closed from Microsoft Defender 365.
Hi Gary,
Could you share the correct link to submit our feedback.
Do you have any ETA to get this issue resolved ?
That link is still working. If you are still experiencing this issue, I would recommend opening a ticket with MS so they can take a look at your environment to get a better idea what is happening.