Forum Discussion
Alert Status column not updating properly for "Resolved" MCAS or IPC alerts
Preeti_Krishna thank you. The PATCH alert status for Cloud App Security and Identity Protection is listed as supported, but is still not implemented by these providers. Do you have an ETA for integrating these PATCH alerts?
MicrosoftChris Stelzer - The 'patch' capability for many providers shows supported because you can update alerts and get them in the same updated state across all applications integrated with the Microsoft Graph Security API.
IPC has a report which is an aggregation of detections/events structure as described in the IPC documentation. The report, for example, 'risky users' has a state, while the detections or risky events themselves do not have any state in IPC. The risky events is what is available in Microsoft Graph Security API as alerts. Hence the alert patch scenario for IPC is at parity with what the IPC provider portal supports for detections.
MCAS - We are working with the provider to enable support for this - no ETA to share though.
Do you know if this is still on the Microsoft roadmap to make patch alerts available through Graph for MCAS? This one has created some issues for me as well. I've moved on to using the MCAS direct API but it sure would be nice to use Graph since my SOAR has a nice integration with it.
Preeti_Krishna Still confused on IPC. Risk events shown in Security Graph API, are these not the Risk Events shown in Identity protection? (ie. Unfamiliar Sign In Properties). Should these events not be linked to the "Status" property of the Sign In Risk events from IPC? Those can be Closed (ie. Resolved) and almost certainly are for anyone that tracks these events within their tenant.
It makes the Security Alerts API useless for tracking which IPC events have been acted upon as they all report as "New Alert".