Can someone provide some detail on the behaviour of ‘disable alert tracking’ for the M365 Defender Incidents connector?
Am I right in thinking that if an alert or incident is changed after ingestion on Defender’s side it will update (as opposed to creating new) on Google SecOps SOAR side?
If enable “Disable Alert Tracking”, then it will not track the change, thus no new alert will be created.
I will raise a document request to get this information updated in here:
https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/microsoft-365-defender#microsoft_365_defender_incidents_connector
Does it close/group existing alerts the newly ingested ones replace?
I’m trying to understand the use case for this functionality and whether it can improve the relationship between Defender XDR and SecOps.
Hey
It doesn’t close the other alerts. In terms of grouping, there is very high likelyhood that the alerts will be grouped under 1 case, because they are very similar, but if a case, for example, already reached the limit of possible alerts, then the alert will go into a new case.
It’s very subjective, whether this is beneficial or not, because initially we enforced tracking, but got feedback from multiple tenants that it was causing too much noise and they wanted to disable it.
Keep in mind, that we don’t re-ingest the alert, if there was any update. For example, if an assignee was changed or a comment was added, it’s not meaningful information to trigger full re-ingestion. We will only re-ingest the alert, if there is new “event/ioc” associated with the alert.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.