Retrieve MCAS alert resolution status using LogicApps ?

%3CLINGO-SUB%20id%3D%22lingo-sub-1497310%22%20slang%3D%22en-US%22%3ERetrieve%20MCAS%20alert%20resolution%20status%20using%20LogicApps%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497310%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20working%20on%20a%20LogicApps%20in%20Sentinel%20to%20retrieve%20the%20status%20of%20Microsoft%20Cloud%20App%20Security%20alerts%20using%20its%20REST%20API.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture3.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202019iBE8D3F45ABD2D4BB%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Capture3.PNG%22%20alt%3D%22Capture3.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESo%20far%2C%20I'm%20capable%20of%20retrieving%20MCAS%20alerts%20which%20I%20can%20query%20in%20the%20Log%20Analytics%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22tempzdasnip.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202020iD258F3C193360061%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22tempzdasnip.png%22%20alt%3D%22tempzdasnip.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EHowever%2C%20what%20I'm%20really%20interested%20in%20is%20the%20status%20of%20the%20alert%20(Open%2C%20Dismissed%20or%20Resolved)%2C%20the%20parameter%20is%20called%20%22ResolutionStatus%22%20and%20should%20have%203%20value%20as%20shown%20in%20MS%20documentation%20%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fapi-alerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fapi-alerts%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture4.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202022i78937425ADC2CAC4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Capture4.PNG%22%20alt%3D%22Capture4.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%E2%80%83Thi%20parameter%20is%20not%20available%20when%20using%20a%20GET%20request%20for%20MCAS%20API%2C%20as%20you%20can%20see%20I%20have%20instead%20a%20statusValue%20which%20take%20only%202%20values%20(0%20%3D%20open%2C%201%20%3D%20dismissed%20or%20resolved)%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22tempsnip.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202021iE3CE93A5672A4F25%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22tempsnip.png%22%20alt%3D%22tempsnip.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20HTTP%20Get%20request%20is%20the%20following%20%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202023i4766EB1CDF2D0347%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Capture.PNG%22%20alt%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20idea%20on%20why%20the%20schema%20is%20different%20from%20the%20one%20that%20can%20be%20found%20in%20the%20documentation%20%3F%20and%20do%20you%20have%20any%20clues%20on%20how%20to%20retrieve%20the%20resolutionStatus%20for%20MCAS%20alerts%20using%20logicapps%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20help%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlexander%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1498242%22%20slang%3D%22en-US%22%3ERe%3A%20Retrieve%20MCAS%20alert%20resolution%20status%20using%20LogicApps%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1498242%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588497%22%20target%3D%22_blank%22%3E%40Alexander_Ceyran%3C%2FA%3E%26nbsp%3BThis%20would%20probably%20be%20better%20asked%20in%20the%20MCAS%20community%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-cloud-app-security%2Fbd-p%2FMicrosoftCloudAppSecurity%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-cloud-app-security%2Fbd-p%2FMicrosoftCloudAppSecurity%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Greetings,

 

I've been working on a LogicApps in Sentinel to retrieve the status of Microsoft Cloud App Security alerts using its REST API.

Capture3.PNG

So far, I'm capable of retrieving MCAS alerts which I can query in the Log Analytics

tempzdasnip.png

However, what I'm really interested in is the status of the alert (Open, Dismissed or Resolved), the parameter is called "ResolutionStatus" and should have 3 value as shown in MS documentation :

https://docs.microsoft.com/en-us/cloud-app-security/api-alerts

Capture4.PNG

 

 Thi parameter is not available when using a GET request for MCAS API, as you can see I have instead a statusValue which take only 2 values (0 = open, 1 = dismissed or resolved) :

 

tempsnip.png

The HTTP Get request is the following :

Capture.PNG

 

Do you have any idea on why the schema is different from the one that can be found in the documentation ? and do you have any clues on how to retrieve the resolutionStatus for MCAS alerts using logicapps ?

 

Thanks for your help,

 

Alexander

1 Reply