This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 64%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Our team observed that there are open or active alerts in Microsoft Defender for Cloud while its corresponding incident in Defender XDR is already resolved. We assume that it is the corresponding alert in Defender XDR since when we click the link in Microsoft Defender for Cloud it redirected to it. Maybe a sync issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Francis Arvin Hallare,
Thank you for posting your query on Microsoft Q&A.
Please note that If you're seeing the Microsoft Defender for Cloud Security Alerts remain open while the corresponding link in Defender XDR (Extended Detection and Response) has already been resolved, there are a few potential reasons for this issue to happen.
Below are the possible causes and troubleshooting steps:
1. Alert Syncing Delay
Microsoft Defender for Cloud and Microsoft Defender XDR might not be perfectly synchronized in real-time. The alert resolution in Microsoft Defender XDR may have been processed, but it could take some time for that status to propagate back to Microsoft Defender for Cloud.
Action:
Please wait for a few minutes or up to an hour, and check again to see if the alerts in Microsoft Defender for Cloud gets updated or closed.
2. Alert Type Mismatch
There could be different types of alerts in Microsoft Defender for Cloud and Microsoft Defender XDR that are associated with the same security event but classified in a way that Microsoft Defender for Cloud hasn’t recognized the resolution in Microsoft Defender XDR.
Action:
Investigate the specific alert types in both consoles. Compare their classifications to understand if they are truly the same underlying issue or are distinct.
3. Alert Resolved in Microsoft Defender XDR, but Still open in Microsoft Defender for Cloud
Sometimes, in Microsoft Defender XDR, a resolved alert may still be showing as open in Microsoft Defender for Cloud due to different resolution methods. If the security investigation or incident was closed in Microsoft Defender XDR, but Microsoft Defender for Cloud didn't register that action (for example, manual remediation or auto-remediation), the alert remains open.
Action:
Manually close the alert in Microsoft Defender for Cloud if you’ve already taken the necessary actions. This can also be done via the Defender for Cloud portal under Security Alerts.
4. Cross-Platform Integration Issues
There may be integration issues between Microsoft Defender for Cloud and Microsoft Defender XDR, especially if you have custom configurations or are using both platforms in a multi-cloud environment. This can cause issues with data syncing and alert status updates.
Action:
Please review any integration settings between Microsoft Defender for Cloud and Microsoft Defender XDR, ensuring that the integration is working as expected.
Microsoft Defender for Cloud is now integrated with Microsoft Defender XDR, formerly known as Microsoft 365 Defender. This integration allows Defender XDR to collect alerts from Defender for Cloud and create Defender XDR incidents from them.
To support this integration, you must set up one of the following Microsoft Defender for Cloud data connectors, otherwise your incidents for Microsoft Defender for Cloud coming through the Microsoft Defender XDR connector won't display their associated alerts and entities:
Microsoft Sentinel has a new Tenant-based Microsoft Defender for Cloud (Preview) connector. This connector allows Microsoft Sentinel customers to receive Defender for Cloud alerts across their entire tenants, without having to monitor and maintain the connector's enrollment to all their Defender for Cloud subscriptions. We recommend using this new connector, as the Microsoft Defender XDR integration with Microsoft Defender for Cloud is also implemented at the tenant level.
Alternatively, you can use the Subscription-based Microsoft Defender for Cloud (Legacy) connector. This connector is not recommended, because if you have any Defender for Cloud subscriptions that aren't connected to Microsoft Sentinel in the connector, incidents from those subscriptions won't display their associated alerts and entities.
Both connectors mentioned above can be used to ingest Defender for Cloud alerts, regardless of whether you have Defender XDR incident integration enabled.
For additional details, please refer to the below document for your reference.
https://learn.microsoft.com/en-us/azure/sentinel/ingest-defender-for-cloud-incidents
As an overall summary, if alerts are resolved in Microsoft Defender XDR but still remains open in Microsoft Defender for Cloud, the above mentioned points are the possible causes.
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks and Regards,
Sanoop Mohan
Hello @Francis Arvin Hallare,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query please do let us know.
Thanks and Regards,
Sanoop Mohan
Hello @Francis Arvin Hallare,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query please do let us know.
Thanks and Regards,
Sanoop Mohan