This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 64%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Our team observed that there are open or active alerts in Microsoft Defender for Cloud while its corresponding incident in Defender XDR is already resolved. We assume that it is the corresponding alert in Defender XDR since when we click the link in Microsoft Defender for Cloud it redirected to it. Maybe a sync issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Francis Arvin Hallare,
Thank you for posting your query on Microsoft Q&A.
Please note that If you're seeing the Microsoft Defender for Cloud Security Alerts remain open while the corresponding link in Defender XDR (Extended Detection and Response) has already been resolved, there are a few potential reasons for this issue to happen.
Below are the possible causes and troubleshooting steps:
1. Alert Syncing Delay
Microsoft Defender for Cloud and Microsoft Defender XDR might not be perfectly synchronized in real-time. The alert resolution in Microsoft Defender XDR may have been processed, but it could take some time for that status to propagate back to Microsoft Defender for Cloud.
Action:
Please wait for a few minutes or up to an hour, and check again to see if the alerts in Microsoft Defender for Cloud gets updated or closed.
2. Alert Type Mismatch
There could be different types of alerts in Microsoft Defender for Cloud and Microsoft Defender XDR that are associated with the same security event but classified in a way that Microsoft Defender for Cloud hasn’t recognized the resolution in Microsoft Defender XDR.
Action:
Investigate the specific alert types in both consoles. Compare their classifications to understand if they are truly the same underlying issue or are distinct.
3. Alert Resolved in Microsoft Defender XDR, but Still open in Microsoft Defender for Cloud
Sometimes, in Microsoft Defender XDR, a resolved alert may still be showing as open in Microsoft Defender for Cloud due to different resolution methods. If the security investigation or incident was closed in Microsoft Defender XDR, but Microsoft Defender for Cloud didn't register that action (for example, manual remediation or auto-remediation), the alert remains open.
Action:
Manually close the alert in Microsoft Defender for Cloud if you’ve already taken the necessary actions. This can also be done via the Defender for Cloud portal under Security Alerts.
4. Cross-Platform Integration Issues
There may be integration issues between Microsoft Defender for Cloud and Microsoft Defender XDR, especially if you have custom configurations or are using both platforms in a multi-cloud environment. This can cause issues with data syncing and alert status updates.
Action:
Please review any integration settings between Microsoft Defender for Cloud and Microsoft Defender XDR, ensuring that the integration is working as expected.
Microsoft Defender for Cloud is now integrated with Microsoft Defender XDR, formerly known as Microsoft 365 Defender. This integration allows Defender XDR to collect alerts from Defender for Cloud and create Defender XDR incidents from them.
To support this integration, you must set up one of the following Microsoft Defender for Cloud data connectors, otherwise your incidents for Microsoft Defender for Cloud coming through the Microsoft Defender XDR connector won't display their associated alerts and entities:
Microsoft Sentinel has a new Tenant-based Microsoft Defender for Cloud (Preview) connector. This connector allows Microsoft Sentinel customers to receive Defender for Cloud alerts across their entire tenants, without having to monitor and maintain the connector's enrollment to all their Defender for Cloud subscriptions. We recommend using this new connector, as the Microsoft Defender XDR integration with Microsoft Defender for Cloud is also implemented at the tenant level.
Alternatively, you can use the Subscription-based Microsoft Defender for Cloud (Legacy) connector. This connector is not recommended, because if you have any Defender for Cloud subscriptions that aren't connected to Microsoft Sentinel in the connector, incidents from those subscriptions won't display their associated alerts and entities.
Both connectors mentioned above can be used to ingest Defender for Cloud alerts, regardless of whether you have Defender XDR incident integration enabled.
For additional details, please refer to the below document for your reference.
https://learn.microsoft.com/en-us/azure/sentinel/ingest-defender-for-cloud-incidents
As an overall summary, if alerts are resolved in Microsoft Defender XDR but still remains open in Microsoft Defender for Cloud, the above mentioned points are the possible causes.
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks and Regards,
Sanoop Mohan
Hello @Francis Arvin Hallare,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query please do let us know.
Thanks and Regards,
Sanoop Mohan
Hello @Francis Arvin Hallare,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query please do let us know.
Thanks and Regards,
Sanoop Mohan
Hi Sanoop,
Thank you for your insights.
Just a clarification, we noticed that some of the alerts in Defender XDR which also has a corresponding alert in Microsoft Defender for Cloud is showing Endpoint as its service source instead of Microsoft Defender for Cloud. Does it mean both Endpoint and Microsoft Defender for Cloud generated separate alert with the same event? And Defender XDR captured the alert from Endpoint only? Since the alert came from service source Endpoint, once it is resolved it will not link or sync to Microsoft Defender for Cloud.
Hello @Francis Arvin Hallare,
Thank you for your response.
I understand that you noticed that some of the alerts in Defender XDR which also has a corresponding alert in Microsoft Defender for Cloud is showing Endpoint as its service source instead of Microsoft Defender for Cloud.
This scenario can happen if both Microsoft Defender for Endpoint and Microsoft Defender for Cloud generated separate alerts for the same event, but Defender XDR captured the alert from the Microsoft Defender for Endpoint.
When Defender XDR shows "Endpoint" as the service source, it indicates that the alert was captured from Microsoft Defender for Endpoint. This does not necessarily mean that the alert from Microsoft Defender for Cloud was ignored, but the possibility is that the alert from Endpoint was processed first or given first priority.
This can lead to synchronization issues where resolving the alert in one service does not automatically resolve the alert in the other service. To resolve this issue, you may need to manually check and resolve the alerts across both services(Microsoft Defender for Endpoint as well as Microsoft Defender for Cloud).
Please let me know if you have any other queries. I am looking forward to your response.
Hi Sanoop, Is there a fix for this? I mean how to avoid these kind of scenarios where an event triggered an alert for both sources but only source will be processed by Defender XDR?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello @Francis Arvin Hallare,
Following up to see if the above suggestion was helpful. And, if you have any further query, please do let us know.
Hi Sridev, Thanks for the clarification. All good on my end.
Hello @Francis Arvin Hallare,
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Hello @Francis Arvin Hallare,
There’s no direct fix for this, but there are ways to avoid it happening as often. Since Defender XDR tends to process alerts from Defender for Endpoint first, the best approach is to make sure alerts from both sources are properly linked.
You can check the incident correlation rules in XDR to see if it’s grouping related alerts correctly. Also, switching to the tenant-based Defender for Cloud connector (instead of the older subscription-based one) helps with better syncing between Defender for Cloud and XDR. If alerts in Defender for Cloud are still staying open after XDR marks the incident as resolved, you might need to close them manually or set up an automated playbook using Logic Apps to handle it for you.
Hope this helps!