Skip to content
Recued
Menu
← Back to recipes

Update a Microsoft Defender endpoint alert

by recued-core v1

Approval-gated Microsoft Defender for Endpoint alert workflow for one alert. It reads the alert for context, then updates only workflow fields through recued-core.microsoft-defender-endpoint.alert.update: status, assignee, classification, determination, and comment. It does not create alerts, bulk-update alerts, run machine actions, mutate machines, run advanced hunting, or call arbitrary Defender APIs.

How it works 5 steps

Inspect the data fetches, transforms, gates, and output this recipe runs.

Process (5 steps)
alert_id trim
Trim whitespace from setting alert id
comment trim
Trim whitespace from setting comment
alert_before ?
alert_update ?
card to_summary
Format results as a summary card
Settings 7 configurable

Configurable at install. Defaults shown — change them anytime in Recued.

status setting = InProgress
comment setting = Update alert triage state from Recued.
alert id setting =
assigned to setting =
determination setting =
classification setting =
microsoft defender setting =

Trust & control

What installing this recipe would let it do. Recued grants these permissions at install — review them there before approving.

Where it runs

Device + server Runs on your device (browser) or your server.

Permissions it requires

Read your Microsoft-defender connection
Declared by the recipe — Recued grants these at install, where you review them before approving.

About

Tags

microsoft-defender-endpoint microsoft-defender-endpointdefender-for-endpointendpoint-securityalertsincident-responseapprovalpack:microsoft-defender-endpoint

Details

5 steps 7 configurable settings recipe_id: update-microsoft-defender-endpoint-alert