Query Details
XDR Automatically Closed Incidents
Query
# List Automatically Closed Incidents ## Query Information #### Description List the incidents that are automatically closed by Microsoft Defender XDR. It is good practice to get an overview of the automatically closed incidents and review them once every x period to determine if all the risks have been covered. The amount of automatically closed incidents depend on the Automation levels in automated investigation and remediation capabilities that are set in your tenant. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automation-levels?view=o365-worldwide ## Sentinel ```KQL SecurityIncident | where ProviderName == "Microsoft 365 Defender" and ModifiedBy == "Microsoft 365 Defender" | extend OwnerObjectID = tostring(Owner.objectId) | where Status == "Closed" and Classification == "Undetermined" | where isempty(OwnerObjectID) | where isnotempty(ClassificationComment) ```
Explanation
This query retrieves a list of incidents that have been automatically closed by Microsoft Defender XDR. It is recommended to regularly review these incidents to ensure all risks have been addressed. The number of automatically closed incidents depends on the automation levels set in your tenant's automated investigation and remediation capabilities. The query filters for incidents with the provider name "Microsoft 365 Defender" and modified by "Microsoft 365 Defender". It also checks for incidents that are closed, have an undetermined classification, do not have an owner, and have a non-empty classification comment.
Details
Bert-Jan Pals
Released: December 18, 2023
Tables
SecurityIncident
Keywords
SecurityIncident,ProviderName,Microsoft365Defender,ModifiedBy,Owner,Status,Classification,OwnerObjectID,Closed,Undetermined,ClassificationComment
Operators
where|==andextendtostringisemptyisnotempty