![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
1,561 questions
Hello @Hyago Santana Mariano,
Thank you for posting your query on Microsoft Q&A.
Based on your description, it appears that incidents in Microsoft Sentinel are being automatically closed with the “Reason for closing” set to “Benign positive – suspicious but expected. Resolved at source.” This behavior occurs when user risks are dismissed due to actions taken by the user, such as completing Multi-Factor Authentication (MFA) or resetting their password. When users are allowed to self-remediate using Microsoft Entra Multi-Factor Authentication (MFA) or Self-Service Password Reset (SSPR) within risk policies, they can unblock themselves when risk is detected.
Reference: Self-Remediation with Risk Policy
Identity Protection risks can often be detected and remediated automatically, without the need for intervention by an admin or security analyst. This self-remediation is a designed feature of Identity Protection. For more details on the self-remediation actions, please check the "Risky sign-ins" blade under Identity Protection in Entra ID, where you’ll find that, in most cases, MFA has remediated the risks.
As these risks are being automatically remediated in Entra Identity Protection, the related incidents triggered in Microsoft Sentinel are being closed automatically with the reason “Benign positive – suspicious but expected. Resolved at source.”
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.