Solved: Job not creating comment for incident in Microsoft...

mikelmi01

I have created a Job in SecOps that closes an incident in Microsoft Defender after certain conditions are met:

When I go to the incident in Microsoft Defender, I can see that the incident was closed correctly with falsePositive:

However, nothing appears written in the marked box of the following image:

Am I doing this correctly with the comment? Or is that box filled in another way? And can I fill it through the Job?

Any help will be apreciated!

mikelmi01

I managed to find the solution. I don't know if this happens to everyone else, but in my case, when I use the update_incident method on its own, whatever you write in the comment does not appear anywhere. However, you can solve it by using add_comment_to_incident:

This, unfortunately, does not write anything in the reason for closing, it simply creates a comment (as its name states):

There is no existing method to specify the reason of the closure from the job, but you can make the job send an email to someone every time an incident is closed so that you know that you have to copy that comment as the reason of closure in that incident.

View solution in original post

mikelmi01

I managed to find the solution. I don't know if this happens to everyone else, but in my case, when I use the update_incident method on its own, whatever you write in the comment does not appear anywhere. However, you can solve it by using add_comment_to_incident:

This, unfortunately, does not write anything in the reason for closing, it simply creates a comment (as its name states):

There is no existing method to specify the reason of the closure from the job, but you can make the job send an email to someone every time an incident is closed so that you know that you have to copy that comment as the reason of closure in that incident.

Job not creating comment for incident in Microsoft Defender