Retrieve "dismiss alert" logs in Sentinel

Question

Hello everyone ,&nbsp;I hope you all doing well, I'm trying to retrieve the dismiss alerts logs for MCAS in Azure Sentinel using Azure Log Analytics, however I don't have the raw data as usual which doesn't enable me to know the log type. Are these activities retrievable by any chance (using KQL, API) ?&nbsp; Thank you,Stay safe.&nbsp;Alexander

sarah_young · Answer

Alexander_Ceyran&nbsp;no, you can't retrieve them into your workspace.
&nbsp;
It is possible write a playbook from Sentinel that will dismiss the alerts in MCAS, was this what you were trying to achieve?
&nbsp;
Sarah

sammyredo · Answer

Sarah_Young&nbsp; I am looking to be able to write a playbook, which will close an MCAS alert in Sentinel and dismiss the corresponding alert in MCAS.

sarah_young · Answer

sammyredo&nbsp;please look at this example in our Github repo:
&nbsp;
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Resolve-McasInfrequentCountryAlerts

sammyredo · Answer

Sarah_Young&nbsp;Thank you. This should work

Forum Discussion

Retrieve "dismiss alert" logs in Sentinel

Share

Resources