Hi All,
I am testing the Microsoft 365 Defender (XDR) Integration v26.0 and have observed the following which when looking at the documentation seems to be by design.
Scenario 1
- Event triggered and “Incident 1” created in XDR
- Event triggered and “Incident 2” created in XDR
- Both incidents and their associated alerts are ingested into the SOAR and created:
- Case 1 with the name “Incident 1”
- Case 2 with the name “Incident 2”
- XDR then correlated Incidents 1 & 2 and based on a rule and renamed “Incident 1” to “Suspicious activity on one endpoint” moved the alert from “Incident 2” to “Incident 1” and closed “Incident 2”
- The Sync Job in SOAR attached all alerts to Case 1 but left the Case name as “Incident 1”
- The SOAR Case “Incident 2” was left open along with it’s associated Alert
Scenario 2
- Event triggered and “Incident 1” created in XDR
- Event triggered and “Incident 2” created in XDR
- “Incident 1” ingested into SOAR and a Case created with the same name “Incident 1”
- Before Ingestion of “Incident 2” XDR correlated the Incidents based on a rule and renamed “Incident 1” to “Suspicious activity on one endpoint” moved the alert from “Incident 2” to “Incident 1” and closed “Incident 2”
- The Sync Job in SOAR attached all alerts to Case 1 but left the Case name as “Incident 1”
I am thinking if the Sync Job only handles Alerts then I will probably need to write a Job to Close the orphaned Case in SOAR by checking the status of the Incident in XDR, any thoughts?
Thanks
Daryll
