Closing an Incident in Azure Sentinel and Dismissing an Alert in ASC || Defender || MCAS etc

%3CLINGO-SUB%20id%3D%22lingo-sub-2447073%22%20slang%3D%22en-US%22%3EClosing%20an%20Incident%20in%20Azure%20Sentinel%20and%20Dismissing%20an%20Alert%20in%20ASC%20%7C%7C%20Defender%20%7C%7C%20MCAS%20etc%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2447073%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20GUYS%20%2C%3C%2FP%3E%3CP%3EWe%20are%20in%20process%20of%20designing%20an%20Playbook%20that%20can%20close%20the%20alert%20from%20the%20generator%20Portals%20Like%20defender%20%2CMCAS%20%2CM365%20etc.%3C%2FP%3E%3CP%3EIf%20we%20close%20the%20alert%20on%20sentinel%20page%20playbook%20should%20trigger%20to%20close%20alerts%20from%20Portals%20of%20M365%20etc%3C%2FP%3E%3CP%3EAny%20ideas%20...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2448069%22%20slang%3D%22en-US%22%3ERe%3A%20Closing%20an%20Incident%20in%20Azure%20Sentinel%20and%20Dismissing%20an%20Alert%20in%20ASC%20%7C%7C%20Defender%20%7C%7C%20MCAS%20etc%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2448069%22%20slang%3D%22en-US%22%3EThere%20is%20an%20MCAS%2FAzure%20Defender%20example%20in%20the%20Github%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%3C%2FA%3E%20Look%20for%20the%20ones%20that%20are%20called%20%22Close-%20%22%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20Microsoft%20365%20Defender%20(preview)%20connector%20is%20bi-directional%2C%20so%20you%20can%20close%20an%20alert%20in%20M365%20or%20Azure%20Sentinel%20and%20the%20two%20will%20sync.%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi GUYS ,

We are in process of designing an Playbook that can close the alert from the generator Portals Like defender ,MCAS ,M365 etc.

If we close the alert on sentinel page playbook should trigger to close alerts from Portals of M365 etc

Any ideas ...

1 Reply
There is an MCAS/Azure Defender example in the Github https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks Look for the ones that are called "Close- "

The Microsoft 365 Defender (preview) connector is bi-directional, so you can close an alert in M365 or Azure Sentinel and the two will sync.