Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sentinel incidents sync with other Microsoft security portals

Brass Contributor

Hi,

 

I would like to know if Sentinel can automatically sync the incidents which are closed in other Microsoft security portals. If it syncs automatically, what is the delay for each?

 

  1. Does sentinel incidents get automatically synced with incidents in Defender?
  2. Does sentinel incidents get automatically synced with incidents in MDI?
  3. Does sentinel incidents get automatically synced with incidents in MCAS(Microsoft cloud apps security portal)?
  4. Does sentinel incidents get automatically synced with AAD risky users actions(like the risky users which we analyze and decide risk dismissal/compromised in AAD)?

If anyone can help me with this information, it would be great!

 

Thanks

4 Replies
Yes, it does now. We have enabled the "Microsoft 365 Defender (Preview)", since then incidents are getting closed automatically. HTH
what is the estimated time to reach from each portal to Sentinel? And do you have any idea about other portals as mentioned above? (MCAS, AAD, MDI)

@naramesh

 

This is not entirely true. While it does close incidents on Portals such as security.microsoft.com and securitycenter.windows.com and so on, alerts on CloudAppSecurity portal are not closed. I am aware that Microsoft is trying to push usage of security.microsoft.com instead of multiple portals, I think it still needs to be closed on CloudAppSecurity portal. When my peers visit CloudAppSecurity portal and see 40 open alerts, eyebrows are raised. 

That's correct. Status is sync'ed to Microsoft Defender, but not sync'ed to the individual product portals.