Jan 05 2023 07:10 AM
Jan 05 2023 07:10 AM
I am trying to leverage Microsoft Sentinel's SOAR capabilities to automatically close false positive alerts from Microsoft Defender for Office. The particular policy I want to address now is the "Phish delivered due to IP allow policy", so we get a lot of false positive alerts whenever MDO misclassifies an email, so I want to suppress these in Sentinel.
My thought process was to create a playbook (using Logic App), to get the incident and capture the 'message ID' entity. So, for every Message ID, I want to write a KQL query to search that ID from Sentinel logs, see if predefined fields are matched, then close the incident if matched, else notify the team.
Right now, this is what I have:
I am honestly stuck here. The Microsoft Sentinel Instance does not have a Cluster URL, I need to query it directly not via Azure Data Explorer.
May you please assist me. Is there an easier way to get this automated response in place?
Jan 05 2023 10:44 AM
Jan 05 2023 10:47 AM
Indeed you can create an "auto close", it's smarter to update the rule that create the alert to be more accurate according to your policy.
It will reduce cost and give you cleaner reports on incidents and SLA (and other kind of link that could be revelent as linked alerts)
Exept if you're not sure and prefer to autoclose and keep links in case of investigations. :grinning_face:
Jan 05 2023 11:27 AM
@LeenoldTN - one other idea is to use the HTTP action against the Adv Hunting API to return the KQL results
Variable: String (place KQL here)
HTTP Action: using Managed Identity with api perms (AdvancedQuery.Read.All):
An example of this being used and how to set the MSI with permissions to the Adv Hunt API can be found here: Microsoft-Defender-for-Cloud/Workflow automation/Create-MDEDeviceTagArc at main · Azure/Microsoft-De...
Jan 06 2023 06:13 AM
Jan 06 2023 06:20 AM
Hi @LeenoldTN ,
Even if you have built in alert you can disable this particular alert, but you will need to create a new rule using the KQL Query.
I done same with the "forwarding alert" (allowing internal forwarding alert where i first wanted to "autoclose it")
But why creating a workaroud when you're able to make a more accurate rule?