Forum Discussion

RobYoung's avatar
RobYoung
Brass Contributor
Apr 21, 2021

Close incident MCAS Playbook

I am in the process of impplementing our first playbook into Sentinel.  We are currently ingesting our MCAS alerts and automatically creating incidents. I have added the Close incident MCAS playbook...
  • GaryBushey's avatar
    GaryBushey
    Apr 21, 2021

    RobYoung A couple of things

    1) This playbook uses the "When a response to an Azure Sentinel alert is triggered" so it would never trigger when you close an Incident (there actually is no trigger for that yet(

    2) Not sure how this would work since, if I am reading the workflow correctly, it is triggered when an alert is generated, it closes the incident and for all the alerts from the incident in the incident, it calls the MCAS URL to close the alert.  So basically, when the alert is created in Azure Sentinel it will immediately close the incident and all all alerts in MCAS immediately.   This does not sound like what you want to do.

     

    You can use this as the basis of your playbook, but rather than using the Azure Sentinel trigger you would need to use a timer job to check for closed incidents that were created by the MCAS alert and then continue to run the workflow if you find any.  

GaryBushey's avatar
GaryBushey
Bronze Contributor

RobYoung A couple of things

1) This playbook uses the "When a response to an Azure Sentinel alert is triggered" so it would never trigger when you close an Incident (there actually is no trigger for that yet(

2) Not sure how this would work since, if I am reading the workflow correctly, it is triggered when an alert is generated, it closes the incident and for all the alerts from the incident in the incident, it calls the MCAS URL to close the alert.  So basically, when the alert is created in Azure Sentinel it will immediately close the incident and all all alerts in MCAS immediately.   This does not sound like what you want to do.

 

You can use this as the basis of your playbook, but rather than using the Azure Sentinel trigger you would need to use a timer job to check for closed incidents that were created by the MCAS alert and then continue to run the workflow if you find any.  

RobYoung's avatar
RobYoung
Brass Contributor
Apr 21, 2021
if i understand correctly then, this should close an mcas alert once it has triggered an alert in Sentinel then. That may work....not ideal but the end results is we do not want to chase alerts through multiple systems.

Maybe I will try and craft something that will batch it a couple times a day and that way, I can at least close it with the same classification that I used to close it in Sentinel.

Thanks for the tips and input

Resources