how to auto close Azure AD Identity Protection alerts when closed in Azure sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2475552%22%20slang%3D%22en-US%22%3Ehow%20to%20auto%20close%20Azure%20AD%20Identity%20Protection%20alerts%20when%20closed%20in%20Azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2475552%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20connected%20data%20from%20Azure%20Active%20Directory%20(Azure%20AD)%20Identity%20Protection%20to%20Azure%20Sentinel%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%26nbsp%3B%20auto%20close%20Azure%20AD%20Identity%20Protection%20alerts%20when%20closed%20in%20Azure%20sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2513109%22%20slang%3D%22en-US%22%3ERe%3A%20how%20to%20auto%20close%20Azure%20AD%20Identity%20Protection%20alerts%20when%20closed%20in%20Azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2513109%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1034873%22%20target%3D%22_blank%22%3E%40deepak198486%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20do%20this%20via%20a%20playbook%2Flogic%20app%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20had%20an%20incident%20created%20from%20an%20Azure%20AD%20Identity%20Protection%20alert%20which%20had%20the%20AAD%20Object%20ID%20as%20a%20mapped%20Account%20entity%20you%20could%20create%20a%20playbook%20called%20closed-identityprotection-alert%20or%20something.%20Use%20the%20Sentinel%20and%20Azure%20AD%20Identity%20Protection%20logic%20apps%20to%20dismiss%20the%20user%20and%20close%20the%20incident.%20Then%20instead%20of%20closing%20the%20incident%20in%20the%20Sentinel%20dashboard%2C%20just%20trigger%20the%20playbook%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%20example%20below%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22la1.JPG%22%20style%3D%22width%3A%20521px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293259i85D99E8EE45084BE%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22la1.JPG%22%20alt%3D%22la1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22la2.JPG%22%20style%3D%22width%3A%20602px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293258i8CACBDEDF1346741%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22la2.JPG%22%20alt%3D%22la2.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We have connected data from Azure Active Directory (Azure AD) Identity Protection to Azure Sentinel

Is it possible to  auto close Azure AD Identity Protection alerts when closed in Azure sentinel?

 

1 Reply

@deepak198486 

You could do this via a playbook/logic app

 

If you had an incident created from an Azure AD Identity Protection alert which had the AAD Object ID as a mapped Account entity you could create a playbook called closed-identityprotection-alert or something. Use the Sentinel and Azure AD Identity Protection logic apps to dismiss the user and close the incident. Then instead of closing the incident in the Sentinel dashboard, just trigger the playbook instead.

 

See example below

 

la1.JPGla2.JPG