Forum Discussion
Defender Sentinel Sync
4 Replies
- Clive_WatsonBronze ContributorAre you using the (Preview) connector?
https://docs.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender-integration-with-azure-sentinel?view=o365-worldwide#:~:text=The%20Microsoft%20365%20Defender%20connector%20for%20Microsoft%20Sentinel,to%20Microsoft%20Sentinel%20and%20keeps%20the%20incidents%20synchronized.- NicSCopper ContributorYes, we are using Defender 365(Preview) connector
- SimBur999Copper Contributor
NicS we have a similar issue -
Did you have any success with automating closure of MCAS with correct status? I found this article about using API connection, but it's from 2020 so I'm unsure if it is still required.
Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel - Microsoft Tech Community
In our case, with the Sentinel security extension enabled in MCAS, Sentinel does not update MCAS alert at all. If we disable the security extension, it does update but incorrectly e.g. Close an alert in Sentinel as False Positive - benign, automatically closes alert in MCAS as True Positive.
Anyone know how to get MCAS updated correctly based on Sentinel Incident closure?
I assume this matters because the logic for alerting in MCAS would be skewed by alerts being closed with incorret status?