I am currently testing the Microsoft 365 Defender Integration (XDR) v26.0 and have noticed that if I trigger 2 x events that create 2 x Incidents in XDR that become correlated under a new Incident Name, the new Incident Name is not reflected in Google SecOps SOAR, this seems to be by design however, I would like the case in SecOps SOAR to reflect the new Incident Name in XDR, I was thinking of utilising a KQL Query in a playbook to do this, any thoughts?
- Trigger an event Incident 123456 (Test Incident 1) created in XDR
- Trigger an event Incident 123457 (Test Incident 2) created in XDR
- Ingest takes place in SOAR Case 5672 created with the Name Test Incident 1
- Correlation takes place in XDR Incident 123457 closed and alert moved to 123456 in XDR
- Incident 123456 renamed from Test Incident 1 to Suspicious Activity on Endpoint
- SOAR Case attaches new Alert to Case 5672 and Case name stays as Test Incident 1
Thanks
Daryll
