Auto-closing incidents using automation rules
Creating an automation rule
In this case, we want to close an incident using the automation rule on incident creation, when a specific IP is detected during a specific time window. One such scenario is if we are doing penetration testing, and this IP address will create a lot of false positives. Therefore, we don’t want to overload SOC analysts with these incidents and instead let them focus on their day-to-day operations. The following case will involve penetration testing with the SOC not engaged:
- To begin, we need to go to Microsoft Sentinel and the Automation tab.
- Select Create and choose Automation rule.
- Under Automation rule name, we can add Pen-Testing False Positive.
- The trigger should stay as When incident is created.
- In Conditions, we can leave All for Analytic...