Skip to main content

Hey all!

 

We are trying to get a two-way sync between MSXDR (microsoft 365 defender) and SecOps cases. 

We have the 365 defender integration configured, and we get secops cases created based on MSXDR incidents. 

 

However, we need the following:

Secops case closed > XDR incident is set to resolved

XDR incident is resolved (in XDR) > Secops case is closed

 

The need here is:

  1. The analyst does not need to close a case in two portals (secops and XDR portal)
  2. XDR sometimes does merging or autoclosing, this incident status change should reflect in Secops

 

Hey ​@0xM4XDF1R ,

 

For this use case, you would need to create a Job. Jobs are designed to synchronize Google SecOps with 3rd party products. You can take the inspiration from our Sample Integration, here is the related guide for it.

 

But we do plan to have an official job for M365 Defender in Q4 2025/Q1 2026. I will take it internally to see, if it can be done sooner than later.

 Hey ​@0xM4XDF1R ,

We’re using a custom job in our environment. You’re going to need to lean on the Defender XDR APIs and the Siemplify SDK for case manipulation.

Unfortunately I can’t send you the raw python code at present but fundamentally you want to achieve this logic -

There’s some neat translation you can do between closure reasons too to ensure both Defender and SecOps have the correct classifications.

Sorry its not as simple as a cut and paste solution for you right now, I had a hell of a time with this way back so know the pain.

It’s positive news that an officially support job might be on the way!

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.