SOLVED

No option to tune analytics rule with Microsoft 365 Defender connector

Contributor

Greetings, i have been working with a few different customers and when trying to configure the Defender for O365 alert "Email messages containing malicious URL removed after delivery", however there is no option to add exlucions and minor tweaks to the analytics rule as it used to be when not connected via the Microsoft 365 Defender connetor.

stianhoydal_0-1641305647949.png

stianhoydal_0-1641306928439.png

 

 

The option to click "Create incidents based on *product name* alerts" does not exist after activating the Microsoft 365 Defender connector. Is there any way to do similar tuning anyway? I wish to not make informational incidents like the email messages, but still recieve the alert in the background and rather create an incident if more that 20+ of the same alert is recieved.  

6 Replies
best response confirmed by stianhoydal (Contributor)
Solution
You can't update those rules as it uses an integrated bi-directional sync engine.

The best way is to use automation rules to update these incidents based on certain conditions.

@Thijs Lecomte So the best way of solving this particular issue is to turn of the Microsoft 365 Defender connector for now and keep the connectors as they are separated. Since the M365 Defender connector is in preview i suppose there might be hope for this functionality in the future. 

I prefer to keep the preview connector enabled as it has the incident bi-directional sync which is a huge benefit.

I haven't heard of any changes which would solve your issue. I guess the solution is automation rules... I don't think this will change

The problem with using automation rules(as far as i know) is that the incident would still be created. I am working for a MSP and we are running a SOC which gets all incidents forwarded to them continously. I suppose i could try to create an automation rule that closes these incidents and put a check in the mail forwarding playbook to check if the incident is open or not(unless it does this by default)

I always work for an MSP that runs a SOC.
You can setup priority for automation rules.

I close the incidents first and then only sync them
I will try to do this and see if it works. Thanks for answers :)