Forum Discussion

Chris Stelzer's avatar
Chris Stelzer
Copper Contributor
Apr 29, 2019

Alert Status column not updating properly for "Resolved" MCAS or IPC alerts

Anyone noticed that the "Alert Status" column for MCAS and IPC (Identity Protection) alerts doesn't properly reflect within the API when resolving alerts in the MCAS or Identity Protection portal? Ot...
Chris Stelzer's avatar
Chris Stelzer
Copper Contributor
May 01, 2019

Looks like Microsoft's own https://security.microsoft.com/alerts section is also not properly showing status' correctly. I assume they're just using their own SecurityGraph API to surface this information. Need this resolved ASAP so we can start properly centrally using PowerBI to track on-going alert status'.

  • Preeti_Krishna's avatar
    Preeti_Krishna
    Icon for Microsoft rankMicrosoft
    Jun 14, 2019

    Chris Stelzer zchoate_ksmc Microsoft Graph Security API alert patch support for security products is listed @ https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#alerts 

    The 'patch' capability for many providers shows supported - you can update alerts and get them in the same updated state across multiple applications integrated with the Microsoft Graph Security API. Currently the provider / security product portal is not integrated to consume the data from Microsoft Graph Security API. This needs to be implemented on the respective security product portal side. We are working with the security providers to get this implemented consistently. 

    https://security.microsoft.com/alerts is not integrated to get and update alerts from Microsoft Graph Security API. 

     

    • Chris Stelzer's avatar
      Chris Stelzer
      Copper Contributor
      Jun 14, 2019

      Preeti_Krishna thank you. The PATCH alert status for Cloud App Security and Identity Protection is listed as supported, but is still not implemented by these providers. Do you have an ETA for integrating these PATCH alerts?

      • Preeti_Krishna's avatar
        Preeti_Krishna
        Icon for Microsoft rankMicrosoft
        Jun 14, 2019

        Chris StelzerThe 'patch' capability for many providers shows supported because you can update alerts and get them in the same updated state across all applications integrated with the Microsoft Graph Security API.

        IPC has a report which is an aggregation of detections/events structure as described in the IPC documentation. The report, for example, 'risky users' has a state, while the detections or risky events themselves do not have any state in IPC. The risky events is what is available in Microsoft Graph Security API as alerts. Hence the alert patch scenario for IPC is at parity with what the IPC provider portal supports for detections. 

        MCAS - We are working with the provider to enable support for this - no ETA to share though.

Resources