Forum Discussion
Defender Sentinel Sync
NicS we have a similar issue -
Did you have any success with automating closure of MCAS with correct status? I found this article about using API connection, but it's from 2020 so I'm unsure if it is still required.
Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel - Microsoft Tech Community
In our case, with the Sentinel security extension enabled in MCAS, Sentinel does not update MCAS alert at all. If we disable the security extension, it does update but incorrectly e.g. Close an alert in Sentinel as False Positive - benign, automatically closes alert in MCAS as True Positive.
Anyone know how to get MCAS updated correctly based on Sentinel Incident closure?
I assume this matters because the logic for alerting in MCAS would be skewed by alerts being closed with incorret status?
- In our case a removal and redeployment of the Defender for Cloud solution in Sentinel has resolved the issue. There was also some confusion with closing incidents as benign positive in Sentinel. Benign positive is reported as 'True positive' in areas of Defender for Cloud Apps (specifically when opening an incident in Cloud Apps portal, you are notified that MSATP has automatically resolved the incident as True Positive). This is all good of course, since the different portals do not have the same selections for resolution or closure (you even 'close' an incident in Sentinel as opposed to 'resolved' in Cloud Apps) 😃
Semantics really! True and Benign positives are both 'True' posiitves so it is expected (but potentially confusing).