Close Microsoft Defender ATP incidents similar to alerts

Number of alerts form a incident in DATP console, so closing every single alert in painful, instead we can close the whole incident which closes the every alerts on DATP. this reduces lot of time for analysts. For now we can get details,update, close for single alerts. Similar has to be implemented for incidents as well. Bulk alerts can be closed at one shot. Seems like this is not a big change just enhancement. If you install the "Microsoft Security Graph Integration for Resilient " from app exchange, you can get details / update / close alerts from resilient. Microsoft had no API's for Incidents until last month, so using this integration only we can play with alerts. However Incident API's are also available now.

  • Guest
  • Oct 8 2020
  • Future consideration
  • Attach files
  • Guest commented
    22 Oct, 2020 04:01pm

    This uses the Microsoft security Graph API itself. So it should be very easy to implement as Defender ATP alerts are already present.

  • Admin
    MARTIN FEENEY commented
    9 Oct, 2020 08:36am

    Thanks for the clarification.

  • Guest commented
    9 Oct, 2020 03:18am

    Yes Martin, It is Microsoft Defender Advanced Threat Protection, which gives alerts for the vulnarable machines and users based on the threat. This is not bespoke integration, if you install the "Microsoft Security Graph Integration for Resilient " from app exchange, you can get details / update / close alerts from resilient. Microsoft had no API's for Incidents until last month, so using this integration only we can play with alerts. However Incident API's are also available now, hence this idea.

  • Admin
    MARTIN FEENEY commented
    8 Oct, 2020 03:50pm

    Can you clarify what DATP refers to ? Microsoft Defender Advanced Threat Protection perhaps ?

    This sounds like a bespoke integration and not a product provided one.