SOAR - Automatically closing incidents from Microsoft Defender for Office

Copper Contributor

Hi All,


I am trying to leverage Microsoft Sentinel's SOAR capabilities to automatically close false positive alerts from Microsoft Defender for Office. The particular policy I want to address now is the "Phish delivered due to IP allow policy", so we get a lot of false positive alerts whenever MDO misclassifies an email, so I want to suppress these in Sentinel.


My thought process was to create a playbook (using Logic App), to get the incident and capture the 'message ID' entity. So, for every Message ID, I want to write a KQL query to search that ID from Sentinel logs, see if predefined fields are matched, then close the incident if matched, else notify the team.


Right now, this is what I have:



I am honestly stuck here. The Microsoft Sentinel Instance does not have a Cluster URL, I need to query it directly not via Azure Data Explorer.


May you please assist me. Is there an easier way to get this automated response in place? 



Thank you. 

6 Replies
Do not use that action, use the Azure Monitor Logs "Run query and list results" action

Hello @LeenoldTN,


Indeed you can create an "auto close", it's smarter to update the rule that create the alert to be more accurate according to your policy.

It will reduce cost and give you cleaner reports on incidents and SLA (and other kind of link that could be revelent as linked alerts)


Exept if you're not sure and prefer to autoclose and keep links in case of investigations.  :grinning_face:

@LeenoldTN - one other idea is to use the HTTP action against the Adv Hunting API to return the KQL results



Variable: String (place KQL here)


HTTP Action: using Managed Identity with api perms (AdvancedQuery.Read.All):



"Query": @{variables('AdvHuntKQLQuery')}


An example of this being used and how to set the MSI with permissions to the Adv Hunt API can be found here: Microsoft-Defender-for-Cloud/Workflow automation/Create-MDEDeviceTagArc at main · Azure/Microsoft-De...

Thank you @KM-Neotiss,
This alert is from an inbuilt policy in MDO, I am not able to modify it, that is why I am resorting to dealing with it from Sentinel.

Hi @LeenoldTN ,


Even if you have built in alert you can disable this particular alert, but you will need to create a new rule using the KQL Query.

I done same with the "forwarding alert" (allowing internal forwarding alert where i first wanted to "autoclose it")


But why creating a workaroud when you're able to make a more accurate rule?