Missing incident description on Microsoft Defender XDR incidents created by Microsoft Sentinel #10446
Comments
|
Hi @ep3p |
|
Hi @ep3p, |
|
Hi @ep3p, |
|
Hi @ep3p, Hope you're doing good. As you have raised the support case for this same issue, our support team is working on your ticket. ICM is raised for this issue and so this is duplicate issue that's why closing this issue. |
|
@v-rusraut what do you mean?? I have not raised any support case. I have only opened this issue on this GitHub repository. |
|
Hi @ep3p, |
|
Hi @ep3p, Thanks! |
|
Thank you very much @v-rusraut, understood. |
Is your feature request related to a problem? Please describe.
Microsoft Defender XDR incidents have NEVER had a description field available in Microsoft Sentinel portal.
When "Incident provider name" is "Azure Sentinel" the incidents HAVE a description.
When "Incident provider name" is "Microsoft Defender XDR" the incidents do NOT have a description (in Microsoft Sentinel portal in Azure).
IF you integrate a Sentinel workspace to Microsoft Defender XDR , ALL the incidents will have now "Microsoft Defender XDR" as "Incident provider name", and ALL the incidents created by Microsoft Sentinel Analytics rules will LOSE their description (in Microsoft Sentinel portal in Azure).
There might be previous playbooks (logic apps) that USED the description field that now is empty, for incidents created by Microsoft Sentinel, and these playbooks now will continuously FAIL.
This is NOT expected, and is not mentioned in Microsoft Docs (https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration).
Describe the solution you'd like
Microsoft Defender XDR incidents SHOULD have a description in Microsoft Sentinel portal in Azure. They should not have missing attributes compared to incidents created directly by Microsoft Sentinel.
You should NOT LOSE capabilities when integrating Microsoft Sentinel with Microsoft Defender XDR.
The text was updated successfully, but these errors were encountered: