Close Microsoft Defender ATP incidents similar to alerts

Number of alerts form a incident in DATP console, so closing every single alert in painful, instead we can close the whole incident which closes the every alerts on DATP. this reduces lot of time for analysts. For now we can get details,update, close for single alerts. Similar has to be implemented for incidents as well. Bulk alerts can be closed at one shot. Seems like this is not a big change just enhancement. If you install the "Microsoft Security Graph Integration for Resilient " from app exchange, you can get details / update / close alerts from resilient. Microsoft had no API's for Incidents until last month, so using this integration only we can play with alerts. However Incident API's are also available now.

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Oct 8 2020
  • Future consideration
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    22 Oct 04:01pm

    This uses the Microsoft security Graph API itself. So it should be very easy to implement as Defender ATP alerts are already present.

  • Admin
    MARTIN FEENEY commented
    9 Oct 08:36am

    Thanks for the clarification.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    9 Oct 03:18am

    Yes Martin, It is Microsoft Defender Advanced Threat Protection, which gives alerts for the vulnarable machines and users based on the threat. This is not bespoke integration, if you install the "Microsoft Security Graph Integration for Resilient " from app exchange, you can get details / update / close alerts from resilient. Microsoft had no API's for Incidents until last month, so using this integration only we can play with alerts. However Incident API's are also available now, hence this idea.

  • Admin
    MARTIN FEENEY commented
    8 Oct 03:50pm

    Can you clarify what DATP refers to ? Microsoft Defender Advanced Threat Protection perhaps ?

    This sounds like a bespoke integration and not a product provided one.