Skip to content

Commit 63b1f9b

Browse files
yelevinyelevin
committed
Ely's edits
1 parent 9dda569 commit 63b1f9b

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

articles/sentinel/whats-new.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -41,13 +41,13 @@ This integration can't be disabled.
4141

4242
Microsoft Sentinel customers (who are also AADIP subscribers) with [Microsoft 365 Defender integration](microsoft-365-defender-sentinel-integration.md) enabled will automatically start receiving AADIP alerts and incidents in their Microsoft Sentinel incidents queue. Depending on your configuration, this may affect you as follows:
4343

44-
- If you already have your AADIP connector enabled in Microsoft Sentinel, you may receive duplicate incidents. To avoid this, you have a few choices, listed here in descending order of preference:
44+
- If you already have your AADIP connector enabled in Microsoft Sentinel, and you've enabled incident creation, you may receive duplicate incidents. To avoid this, you have a few choices, listed here in descending order of preference:
4545

4646
| Preference | Action in Microsoft 365 Defender | Action in Microsoft Sentinel |
4747
| - | - | - |
48-
| **1** | Keep the default AADIP integration of **Selective alerts**. | Disable **incident creation** in your AADIP data connector. |
49-
| **2** | Choose the **All alerts** AADIP integration. | Use automation rules to automatically close incidents with unwanted alerts.<br><br>Disable **incident creation** in your AADIP data connector. |
50-
| **3** | Don't use Microsoft 365 Defender for AADIP alerts:<br>Choose either option for AADIP integration. | Use automation rules to close all incidents where <br>- the *incident provider* is `Microsoft 365 Defender` and <br>- the *alert provider* is `Azure Active Directory Identity Protection`. <br><br>Keep **incident creation** enabled in your AADIP data connector. |
48+
| **1** | Keep the default AADIP integration of **Selective alerts**. | Disable any [**Microsoft Security** analytics rules](detect-threats-built-in.md) that create incidents from AADIP alerts. |
49+
| **2** | Choose the **All alerts** AADIP integration. | Create automation rules to automatically close incidents with unwanted alerts.<br><br>Disable any [**Microsoft Security** analytics rules](detect-threats-built-in.md) that create incidents from AADIP alerts. |
50+
| **3** | Don't use Microsoft 365 Defender for AADIP alerts:<br>Choose either option for AADIP integration. | Create automation rules to close all incidents where <br>- the *incident provider* is `Microsoft 365 Defender` and <br>- the *alert provider* is `Azure Active Directory Identity Protection`. <br><br>Leave enabled those [**Microsoft Security** analytics rules](detect-threats-built-in.md) that create incidents from AADIP alerts. |
5151

5252
- If you don't have your [AADIP connector](data-connectors-reference.md#azure-active-directory-identity-protection) enabled, you must enable it. Be sure **not** to enable incident creation on the connector page. If you don't enable the connector, you may receive AADIP incidents without any data in them.
5353

0 commit comments

Comments
 (0)