Monitors and sends alerts based on the status of Microsoft Defender incidents and alerts.
The Microsoft Defender Incidents and Alerts Event Monitor warns about Defender incidents and alerts that are unresolved, unassigned, or otherwise in a suboptimal state. You can use it to receive alerts about incident and alert statuses and display a list of alerts and incidents in the event monitor results.
This event monitor provides the following options:
This option will send you an alert if the event monitor cannot contact Azure.
This option lets you choose the level of alert that you'll receive about unresolved incidents of a minimum status threshold. The second dropdown lets you choose the minimum severity that the status has to reach before FrameFlow sends you an alert.
Use this option to ignore incidents where all associated alerts are resolved. The event monitor will not generate an alert for such incidents.
With this option enabled, all incidents with a "redirected" status will not generate an alert when the event monitor runs.
This option lets you specify an amount of time passed since an incident appeared. If the incident is still unresolved by that time, this option will trigger an alert.
This option will alert you if a specified amount of time has gone by and the incident hasn't been assigned yet.
The next options cover alerts. This one will send an alert if an unresolved alert reaches the status thresholds you specify.
This option will alert you if a duration you specify has passed without the MS Defender alert being resolved.
Enable this option to get notified if a specified amount of time has passed and the alert is still not assigned.
Use the chooser to select a device to associate events and data points with. Some incidents and alerts aren't associated with a specific device, so using this option will allow you to monitor them.
Use this option to include a table of current incidents and alerts in the result text the event monitor generates each time it runs.
In the provided field, enter a list of incidents the event monitor should ignore each time it runs, separating each entry onto a new line.
Enter a list of alerts to ignore, one per line.
The account used to authenticate with FrameFlow must have SecurityAlert.Read.All and SecurityIncident.Read.All at the application level.
This event monitor generates the following data points:
Data Point | Description |
---|---|
Active Incidents | Incidents that are active at the time the event monitor runs |
Alerts | The number of current alerts |
Alerts in Progress | The number of alerts in progress |
Incidents | The total incident count |
Incidents Awaiting Action | The number of incidents awaiting action, either approval or further investigation |
Incidents in Progress | The number of incidents that are in progress |
New Alerts | The total count of new alerts |
Redirected Incidents | The number of redirected incidents |
Resolved Alerts | The number of resolved alerts |
Resolved Alerts % | The percentage of alerts that are resolved |
Resolved Incidents | The number of resolved incidents |
Resolved Incidents % | The percentage of incidents that are resolved |
To view the tutorial for this event monitor, click here.
Add a comment