Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender XDRMicrosoft SentinelSECURE

List Automatically Closed Incidents

Wayne Andes 2 min read

Description

This KQL query lists the incidents that are automatically closed by Microsoft Defender XDR. It is good practice to get an overview of the automatically closed incidents and review them once every x period to determine if all the risks have been covered. The amount of automatically closed incidents depend on the Automation levels in automated investigation and remediation capabilities that are set in your tenant.

Query

Microsoft Sentinel
Kusto
SecurityIncident
| where ProviderName == "Microsoft 365 Defender" and ModifiedBy == "Microsoft 365 Defender"
| extend OwnerObjectID = tostring(Owner.objectId)
| where Status == "Closed" and Classification == "Undetermined"
| where isempty(OwnerObjectID)
| where isnotempty(ClassificationComment)

References

You May Also Like

List New Active CISA Known Exploited Vulnerabilities

Wayne Andes

List Cloud Discovery Performed By User At Risk

Wayne Andes

Detect SMB File Copies

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *