Hi everyone.

I need some help. I’m trying to set up an Automation Rule in Microsoft Sentinel for the Non Domain Controller Active Directory Replication rule. The idea is to automatically close the incident when the action is performed by the AD Sync account, but for some reason, the rule isn’t closing the incident.

Here’s my setup:

• Trigger: When incident is created
• Conditions (AND):
  • Analytic Rule name contains Non Domain Controller Active Directory Replication
  • Account NT domain contains ad.connect
  • Hostname equals XYZ
  • IP address equals 10.10.10.10
• Action: Change status → Closed

Has anyone run into this issue or know what might be missing?

Edit 1:

Thank you to everyone who tried to help. I managed to make the notes for the correct entities.

In the end, it was just a beginner with a little difficulty. Thank you all.