There are three main reasons why an MDR for Microsoft 365 detection does not have an incident attached:
- The detection was reviewed and deemed insufficient, e.g., a benign or false positive classification to warrant incident generation.
- The detection resulted from an interim or in-testing detection rule that is actively being tuned and therefore triggers detections that fall foul of reason #1.
- The detection is a part of a deeper investigation currently validating the security situation and circumstances at play; its respective incident is likely incoming.
Can you tell me why a specific detection didn't warrant an incident?
Unfortunately, during our Beta phase, we're unable to provide that level of granularity. We're actively investigating an automated way to provide bespoke feedback on singular detections. If you desire a particular form of detection feedback, please let us know at https://feedback.huntress.com/ - the Huntress Team constantly reviews posts.
I've had a confirmed security incident within Microsoft 365; it appears that data or a detection collected by Huntress may have additional information, and I need Huntress's assistance.
Please contact your respective Account or Success Manager as soon as possible, and give as many details as possible. Huntress is dedicated to serving our community.