Microsoft Defender Incidents and Alerts Event Monitor Reference Guide
MS Defender Incidents and Alerts Event Monitor
Monitors and sends alerts based on the status of Microsoft Defender incidents and alerts.
Overview
The Microsoft Defender Incidents and Alerts Event Monitor warns about Defender incidents and alerts that are unresolved, unassigned, or otherwise in a suboptimal state. You can use it to receive alerts about incident and alert statuses and display a list of alerts and incidents in the event monitor results.
Use Cases
- Getting alerted about unresolved or unassigned alerts and incidents
Monitoring Options
This event monitor provides the following options:
Alert with [Info/Warning/Error/Critical] if Azure cannot be contacted
This option will send you an alert if the event monitor cannot contact Azure.
Alert with [Info/Warning/Error/Critical] if there are any unresolved incidents with a status of [Informational/Low/Medium/High] or more severe
This option lets you choose the level of alert that you'll receive about unresolved incidents of a minimum status threshold. The second dropdown lets you choose the minimum severity that the status has to reach before FrameFlow sends you an alert.
Ignore incidents where associated alerts are all resolved
Use this option to ignore incidents where all associated alerts are resolved. The event monitor will not generate an alert for such incidents.
Ignore incidents with a redirected status
With this option enabled, all incidents with a "redirected" status will not generate an alert when the event monitor runs.
Alert if a specified amount of time has passed and the incident is still unresolved
This option lets you specify an amount of time passed since an incident appeared. If the incident is still unresolved by that time, this option will trigger an alert.
Alert if a specified amount of time has passed and the incident is still unassigned
This option will alert you if a specified amount of time has gone by and the incident hasn't been assigned yet.
Alert with [Info/Warning/Error/Critical] if there are any unresolved alerts with a status of [Informational/Low/Medium/High] or more severe
The next options cover alerts. This one will send an alert if an unresolved alert reaches the status thresholds you specify.
Alert if a specified amount of time has passed and the alert is still unresolved
This option will alert you if a duration you specify has passed without the MS Defender alert being resolved.
Alert if a specified amount of time has passed and the alert is still unassigned
Enable this option to get notified if a specified amount of time has passed and the alert is still not assigned.
Device Association
Use the chooser to select a device to associate events and data points with. Some incidents and alerts aren't associated with a specific device, so using this option will allow you to monitor them.
Include a table of incidents and alerts [before all/after all] event text
Use this option to include a table of current incidents and alerts in the result text the event monitor generates each time it runs.
Incidents to ignore
In the provided field, enter a list of incidents the event monitor should ignore each time it runs, separating each entry onto a new line.
Alerts to ignore
Enter a list of alerts to ignore, one per line.
Authentication and Security
The account used to authenticate with FrameFlow must have SecurityAlert.Read.All and SecurityIncident.Read.All at the application level.
Protocols
Data Points
This event monitor generates the following data points:
| Data Point | Description |
|---|---|
| Active Incidents | Incidents that are active at the time the event monitor runs |
| Alerts | The number of current alerts |
| Alerts in Progress | The number of alerts in progress |
| Incidents | The total incident count |
| Incidents Awaiting Action | The number of incidents awaiting action, either approval or further investigation |
| Incidents in Progress | The number of incidents that are in progress |
| New Alerts | The total count of new alerts |
| Redirected Incidents | The number of redirected incidents |
| Resolved Alerts | The number of resolved alerts |
| Resolved Alerts % | The percentage of alerts that are resolved |
| Resolved Incidents | The number of resolved incidents |
| Resolved Incidents % | The percentage of incidents that are resolved |
Tutorial
To view the tutorial for this event monitor, click here.
Sample Output
Comments
Add a comment