Skip to main content
Solved

Add alerts from Microsoft ATP incident to a Case

  • January 23, 2025
  • 8 replies
  • 69 views
C
Forum|alt.badge.img+1

Hi,

I'm using the Microsoft ATP connector to fetch incidents from the tenant and create a case for each incidents.

Incidents in Microsoft Defender have one or more alerts related, which are aggregated by Defender to create the incident. When the case is created on the SOAR, it doesn't include all the related alerts to the incident. The MS ATP integration has one action for playbook which is "ListAlerts", that would return a JSON with all the related alerts and their info (this is working fine).

My question now is how can I add those alerts to the Case, below the "Alerts" section. I have been trying different actions but none of them seems to work.

Am I missing something here or do I need to develop the action myself?

Thanks!

Best answer by ylandovskyy

I would suggest to try Microsoft 365 Defender connector. It will ingest all of the incident alerts as SecOps alerts, but they will be grouped into the same case based on incident id.

Additional benefit is that connector tracks changes to the alerts, so if there is additional evidence added to the alert, it will be re-ingested again.

8 replies

mccrilb
Forum|alt.badge.img+12
  • mccrilbSilver 2
  • Silver 2
  • January 24, 2025

I pull alerts and the related info of the alert into my cases using the Graph API. To do it I had to create a copy and modify it to point to the API 2.0 endpoint. 

you have to update the constants so that it has the correct API endpoint

 
Then update all the pointers in MicrosoftGraphSecurityManager and datamodels.
    ylandovskyy
    Staff
    Forum|alt.badge.img+16
    • ylandovskyy
    • Staff
    • Answer
    • January 24, 2025

    I would suggest to try Microsoft 365 Defender connector. It will ingest all of the incident alerts as SecOps alerts, but they will be grouped into the same case based on incident id.

    Additional benefit is that connector tracks changes to the alerts, so if there is additional evidence added to the alert, it will be re-ingested again.

      C
      Forum|alt.badge.img+1
      • ccg95Bronze 1
      • Author
      • Bronze 1
      • January 27, 2025

      I would suggest to try Microsoft 365 Defender connector. It will ingest all of the incident alerts as SecOps alerts, but they will be grouped into the same case based on incident id.

      Additional benefit is that connector tracks changes to the alerts, so if there is additional evidence added to the alert, it will be re-ingested again.


      It would make sense to use the Microsoft 365 Defender connector for ingesting alerts and the ATP integration to perform actions via playbooks on the machines? Like getting the incident/alert ID and isolate the machine?

      mccrilb
      Forum|alt.badge.img+12
      • mccrilbSilver 2
      • Silver 2
      • January 27, 2025

      It would make sense to use the Microsoft 365 Defender connector for ingesting alerts and the ATP integration to perform actions via playbooks on the machines? Like getting the incident/alert ID and isolate the machine?


      I use both API's. For taking actions such as scanning, blocking IOC's,  isolating the machine I do use the Defender API. And the built in function works very well. I have found that the Graph API has much better context about the alert that I pull in to the case.  

      mccrilb
      Forum|alt.badge.img+12
      • mccrilbSilver 2
      • Silver 2
      • January 27, 2025

      There is also a group of Microsoft Graph Alerts that you might want to look into. We have this rule in our SIEM, and in order to enrich those you will find you need the Graph API.

       

      $e1.metadata.log_type = "MICROSOFT_GRAPH_ALERT"
          ($e1.security_result.alert_state = "ALERTING"
              or $e1.security_result.severity = "HIGH"
              or $e1.security_result.severity = "MEDIUM"
              )
       
       
      ylandovskyy
      Staff
      Forum|alt.badge.img+16
      • ylandovskyy
      • Staff
      • January 27, 2025

      It would make sense to use the Microsoft 365 Defender connector for ingesting alerts and the ATP integration to perform actions via playbooks on the machines? Like getting the incident/alert ID and isolate the machine?


      Yes, you can do that.

      C
      Forum|alt.badge.img+1
      • ccg95Bronze 1
      • Author
      • Bronze 1
      • January 28, 2025

      I would suggest to try Microsoft 365 Defender connector. It will ingest all of the incident alerts as SecOps alerts, but they will be grouped into the same case based on incident id.

      Additional benefit is that connector tracks changes to the alerts, so if there is additional evidence added to the alert, it will be re-ingested again.


      After a few days with the 365 Defender connector. What I'm seeing is, when an alert is updated with additional evidence, it is reingested again as a new alerts instead of updating the previous one, so a single alert in Defender may become 5-6 alertas in a Case in the SOAR. Is there a way around this? Too noisy in my opinion

      ylandovskyy
      Staff
      Forum|alt.badge.img+16
      • ylandovskyy
      • Staff
      • January 29, 2025

      After a few days with the 365 Defender connector. What I'm seeing is, when an alert is updated with additional evidence, it is reingested again as a new alerts instead of updating the previous one, so a single alert in Defender may become 5-6 alertas in a Case in the SOAR. Is there a way around this? Too noisy in my opinion


      We are planning to add an update soon, where tracking of alerts will be optional and configurable. Planned to be released in 2-3 weeks. 

        Terms & ConditionsCookie settingsAccessibility statement
        Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

        © 2025 Google. All rights reserved.