Hi Folks,
I’m looking to implement automated actions such as assignment and closure by mapping Defender incidents with IDR investigations. While I’m able to retrieve incidents using the Microsoft Defender for Endpoint Incident trigger, I haven’t been able to figure out how to map them correctly.
In IDR, I can extract the incidentId from the alert evidence and perform assignment and closure, but this doesn’t work for UBA alerts, and for ABA alerts, I can’t track real-time assignment and closure actions effectively.
As a workaround, I created a loop to check every minute for up to 200 minutes, since Loops in the workflow engine don’t offer ‘continue until success’ or ‘exit when variable changes’ type conditions.
If anyone has a working workflow or ideas on how to better handle this mapping and automation, I’d love to hear your thoughts.
Thanks!