Forum Discussion

NicS's avatar
NicS
Copper Contributor
Mar 02, 2022

Defender Sentinel Sync

The status of an incident in Sentinel does not sync with Microsoft 365 Defender (Alert product name Microsoft Cloud App Security) when the incident is closed. Has anyone else encountered this issue? ...
integration
microsoft defender for cloud apps
NicS's avatar
NicS
Copper Contributor
Mar 02, 2022
Yes, we are using Defender 365(Preview) connector
SimBur999's avatar
SimBur999
Copper Contributor
Jul 24, 2022

NicS we have a similar issue -

Did you have any success with automating closure of MCAS with correct status?  I found this article about using API connection, but it's from 2020 so I'm unsure if it is still required.

Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel - Microsoft Tech Community

 

In our case, with the Sentinel security extension enabled in MCAS, Sentinel does not update MCAS alert at all.  If we disable the security extension, it does update but incorrectly e.g. Close an alert in Sentinel as False Positive - benign, automatically closes alert in MCAS as True Positive.

 

Anyone know how to get MCAS updated correctly based on Sentinel Incident closure?

 

I assume this matters because the logic for alerting in MCAS would be skewed by alerts being closed with incorret status?

 

Resources