Automation rules not working #8936
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Hi @DevMickeal, Thanks for flagging this, we are looking into this and will get back to you. |
|
@v-rbajaj, thank you for picking this up. We'll appreciate if we can get immediate response on this. |
|
Hi @DevMickeal, Utilize Microsoft 365 Defender connector instead of Microsoft Defender for Endpoint standalone connector? If you don't want to utilize M365D connector, but strictly MDE connector with Microsoft Incident Creation Rule, you will need to create automation that will run on recurring event (like 5 minutes), check closed incidents/alerts in MDE in those 5 minutes (, find them in Sentinel using Azure Monitor Logs action, and update each incident in Sentinel as closed. |
|
Hi @DevMickeal, waiting for your confirmation, please provide some update on the above comment. |
|
Hi @v-rbajaj, please give time till tomorrow, will review and get back to you |
|
Hello @v-rbajaj, currently we have Microsoft 365 Defender connector enabled in sentinel, and the expected is that we go to sentinel dashboard for the monitoring and close out incidents. Does this mean that the automation/playbook feature on Microsoft Sentinel isn't working? |
|
@Bolubalog, no this does not implies that the automation/playbook feature isn't working. You can leverage Microsoft 365 Defender capabilities and that will help you to resolve your issue. |
|
@v-rbajaj thank you for your response, if it doesn't imply that the rule isn't working, why exactly are we not able to run the playbook against our incidents. |
|
Hi @Bolubalog, ok, will get back to you on why this playbook isn't working for auto close of incidents by 22 Sep 2023 . |
|
Thank you @v-rbajaj |
|
Hi @Bolubalog, we have reached out to concerned team on this issue and will get back to you by 27 Sep 2023. |
|
Thank you @v-rbajaj |
|
Hi @DevMickeal, Seems like the there is a problem with settings of the automation rule.
|
|
Hi @v-rbajaj you mean we should try the settings in the format in the screenshot you provided and test? |
|
Hi @Bolubalog, yes please.. |
|
Okay, I will test and revert by tomorrow. |
|
Hi @Bolubalog, can you please provide some update on this issue? |
|
@v-rbajaj Please give me until thursday, I have been on leave. Will test and revert. |
|
Hi @Bolubalog, sure, noted, thanks! |
|
Hi @Bolubalog, did you get a chance to look into this issue? |
|
Hi @Bolubalog, Since we have not received a response in the last 5 days, we are closing your issue #8936 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation. |
Describe the bug
I am trying to create automation rules to auto-close incidents coming from Microsoft Defender for the endpoint.
To Reproduce
I used the create incident task from the incident details, it is very weird this is not working
Expected behavior
The automation rule ought to close the rule
Screenshots
The text was updated successfully, but these errors were encountered: