Retrieve "dismiss alert" logs in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1286702%22%20slang%3D%22en-US%22%3ERetrieve%20%22dismiss%20alert%22%20logs%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1286702%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20you%20all%20doing%20well%2C%20I'm%20trying%20to%20retrieve%20the%20dismiss%20alerts%20logs%20for%20MCAS%20in%20Azure%20Sentinel%20using%20Azure%20Log%20Analytics%2C%20however%20I%20don't%20have%20the%20raw%20data%20as%20usual%20which%20doesn't%20enable%20me%20to%20know%20the%20log%20type.%20Are%20these%20activities%20retrievable%20by%20any%20chance%20(using%20KQL%2C%20API)%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture3.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182606i3C90A19CC56176BA%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Capture3.PNG%22%20alt%3D%22Capture3.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EStay%20safe.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlexander%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1322874%22%20slang%3D%22en-US%22%3ERe%3A%20Retrieve%20%22dismiss%20alert%22%20logs%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1322874%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588497%22%20target%3D%22_blank%22%3E%40Alexander_Ceyran%3C%2FA%3E%26nbsp%3Bno%2C%20you%20can't%20retrieve%20them%20into%20your%20workspace.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20is%20possible%20write%20a%20playbook%20from%20Sentinel%20that%20will%20dismiss%20the%20alerts%20in%20MCAS%2C%20was%20this%20what%20you%20were%20trying%20to%20achieve%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESarah%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1708220%22%20slang%3D%22en-US%22%3ERe%3A%20Retrieve%20%22dismiss%20alert%22%20logs%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1708220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40Sarah_Young%3C%2FA%3E%26nbsp%3B%20I%20am%20looking%20to%20be%20able%20to%20write%20a%20playbook%2C%20which%20will%20close%20an%20MCAS%20alert%20in%20Sentinel%20and%20dismiss%20the%20corresponding%20alert%20in%20MCAS.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1710840%22%20slang%3D%22en-US%22%3ERe%3A%20Retrieve%20%22dismiss%20alert%22%20logs%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1710840%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F807427%22%20target%3D%22_blank%22%3E%40sammyredo%3C%2FA%3E%26nbsp%3Bplease%20look%20at%20this%20example%20in%20our%20Github%20repo%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FResolve-McasInfrequentCountryAlerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FResolve-McasInfrequentCountryAlerts%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771493%22%20slang%3D%22en-US%22%3ERe%3A%20Retrieve%20%22dismiss%20alert%22%20logs%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771493%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40Sarah_Young%3C%2FA%3E%26nbsp%3BThank%20you.%20This%20should%20work%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello everyone :smile:,

 

I hope you all doing well, I'm trying to retrieve the dismiss alerts logs for MCAS in Azure Sentinel using Azure Log Analytics, however I don't have the raw data as usual which doesn't enable me to know the log type. Are these activities retrievable by any chance (using KQL, API) ?

 

Capture3.PNG

Thank you,

Stay safe.

 

Alexander

4 Replies
Highlighted

@Alexander_Ceyran no, you can't retrieve them into your workspace.

 

It is possible write a playbook from Sentinel that will dismiss the alerts in MCAS, was this what you were trying to achieve?

 

Sarah

Highlighted

@Sarah_Young  I am looking to be able to write a playbook, which will close an MCAS alert in Sentinel and dismiss the corresponding alert in MCAS.

Highlighted
Highlighted

@Sarah_Young Thank you. This should work