SOLVED

Close incident MCAS Playbook

%3CLINGO-SUB%20id%3D%22lingo-sub-2280577%22%20slang%3D%22en-US%22%3EClose%20incident%20MCAS%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280577%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20in%20the%20process%20of%20impplementing%20our%20first%20playbook%20into%20Sentinel.%26nbsp%3B%20We%20are%20currently%20ingesting%20our%20MCAS%20alerts%20and%20automatically%20creating%20incidents.%3C%2FP%3E%3CP%3EI%20have%20added%20the%20Close%20incident%20MCAS%20playbook%20which%20was%20provided%20in%20github%20and%20have%20configured%20it%20as%20per%20the%20instructions%20but%20when%20I%20close%20an%20MCAS%20incident%2C%20nothing%20is%20triggered.%26nbsp%3B%20Any%20tips%20or%20suggestions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20manually%20trigger%20the%20the%20logic%20app%2C%20I%20get%20the%20following%20failure%20in%20the%20Alert-%20Get%20Incident%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22statusCode%22%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E404%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22message%22%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Resource%26nbsp%3Bnot%26nbsp%3Bfound%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Ebut%20I%20suspect%20this%20is%20because%20it%20has%20been%20manually%20triggered.%26nbsp%3B%20If%20I%20close%20an%20incident%2C%20I%20do%20not%20see%20any%20triggers%20happen.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280921%22%20slang%3D%22en-US%22%3ERe%3A%20Close%20incident%20MCAS%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280921%22%20slang%3D%22en-US%22%3Eif%20i%20understand%20correctly%20then%2C%20this%20should%20close%20an%20mcas%20alert%20once%20it%20has%20triggered%20an%20alert%20in%20Sentinel%20then.%20That%20may%20work....not%20ideal%20but%20the%20end%20results%20is%20we%20do%20not%20want%20to%20chase%20alerts%20through%20multiple%20systems.%3CBR%20%2F%3E%3CBR%20%2F%3EMaybe%20I%20will%20try%20and%20craft%20something%20that%20will%20batch%20it%20a%20couple%20times%20a%20day%20and%20that%20way%2C%20I%20can%20at%20least%20close%20it%20with%20the%20same%20classification%20that%20I%20used%20to%20close%20it%20in%20Sentinel.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20the%20tips%20and%20input%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2280887%22%20slang%3D%22en-US%22%3ERe%3A%20Close%20incident%20MCAS%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2280887%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F42926%22%20target%3D%22_blank%22%3E%40Robert%20Young%3C%2FA%3E%26nbsp%3BA%20couple%20of%20things%3C%2FP%3E%3CP%3E1)%20This%20playbook%20uses%20the%20%22When%20a%20response%20to%20an%20Azure%20Sentinel%20alert%20is%20triggered%22%20so%20it%20would%20never%20trigger%20when%20you%20close%20an%20Incident%20(there%20actually%20is%20no%20trigger%20for%20that%20yet(%3C%2FP%3E%3CP%3E2)%20Not%20sure%20how%20this%20would%20work%20since%2C%20if%20I%20am%20reading%20the%20workflow%20correctly%2C%20it%20is%20triggered%20when%20an%20alert%20is%20generated%2C%20it%20closes%20the%20incident%20and%20for%20all%20the%20alerts%20from%20the%20incident%20in%20the%20incident%2C%20it%20calls%20the%20MCAS%20URL%20to%20close%20the%20alert.%26nbsp%3B%20So%20basically%2C%20when%20the%20alert%20is%20created%20in%20Azure%20Sentinel%20it%20will%20immediately%20close%20the%20incident%20and%20all%20all%20alerts%20in%20MCAS%20immediately.%26nbsp%3B%20%26nbsp%3BThis%20does%20not%20sound%20like%20what%20you%20want%20to%20do.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20use%20this%20as%20the%20basis%20of%20your%20playbook%2C%20but%20rather%20than%20using%20the%20Azure%20Sentinel%20trigger%20you%20would%20need%20to%20use%20a%20timer%20job%20to%20check%20for%20closed%20incidents%20that%20were%20created%20by%20the%20MCAS%20alert%20and%20then%20continue%20to%20run%20the%20workflow%20if%20you%20find%20any.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am in the process of impplementing our first playbook into Sentinel.  We are currently ingesting our MCAS alerts and automatically creating incidents.

I have added the Close incident MCAS playbook which was provided in github and have configured it as per the instructions but when I close an MCAS incident, nothing is triggered.  Any tips or suggestions?

 

If I manually trigger the the logic app, I get the following failure in the Alert- Get Incident:

 
{
  "statusCode": 404,
  "message": "Resource not found"
}
 
but I suspect this is because it has been manually triggered.  If I close an incident, I do not see any triggers happen.
 
2 Replies
best response confirmed by Robert Young (Occasional Contributor)
Solution

@Robert Young A couple of things

1) This playbook uses the "When a response to an Azure Sentinel alert is triggered" so it would never trigger when you close an Incident (there actually is no trigger for that yet(

2) Not sure how this would work since, if I am reading the workflow correctly, it is triggered when an alert is generated, it closes the incident and for all the alerts from the incident in the incident, it calls the MCAS URL to close the alert.  So basically, when the alert is created in Azure Sentinel it will immediately close the incident and all all alerts in MCAS immediately.   This does not sound like what you want to do.

 

You can use this as the basis of your playbook, but rather than using the Azure Sentinel trigger you would need to use a timer job to check for closed incidents that were created by the MCAS alert and then continue to run the workflow if you find any.  

if i understand correctly then, this should close an mcas alert once it has triggered an alert in Sentinel then. That may work....not ideal but the end results is we do not want to chase alerts through multiple systems.

Maybe I will try and craft something that will batch it a couple times a day and that way, I can at least close it with the same classification that I used to close it in Sentinel.

Thanks for the tips and input