cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Close incident MCAS Playbook

Robert Young
Brass Contributor

‎Apr 21 2021 11:29 AM

‎Apr 21 2021 11:29 AM

Close incident MCAS Playbook

I am in the process of impplementing our first playbook into Sentinel.  We are currently ingesting our MCAS alerts and automatically creating incidents.

I have added the Close incident MCAS playbook which was provided in github and have configured it as per the instructions but when I close an MCAS incident, nothing is triggered.  Any tips or suggestions?

 

If I manually trigger the the logic app, I get the following failure in the Alert- Get Incident:

 
{
  "statusCode": 404,
  "message": "Resource not found"
}
 
but I suspect this is because it has been manually triggered.  If I close an incident, I do not see any triggers happen.
 
1,944 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Robert Young (Brass Contributor)
Gary Bushey

‎Apr 21 2021 03:51 PM

‎Apr 21 2021 03:51 PM

Solution

Re: Close incident MCAS Playbook

@Robert Young A couple of things

1) This playbook uses the "When a response to an Azure Sentinel alert is triggered" so it would never trigger when you close an Incident (there actually is no trigger for that yet(

2) Not sure how this would work since, if I am reading the workflow correctly, it is triggered when an alert is generated, it closes the incident and for all the alerts from the incident in the incident, it calls the MCAS URL to close the alert.  So basically, when the alert is created in Azure Sentinel it will immediately close the incident and all all alerts in MCAS immediately.   This does not sound like what you want to do.

 

You can use this as the basis of your playbook, but rather than using the Azure Sentinel trigger you would need to use a timer job to check for closed incidents that were created by the MCAS alert and then continue to run the workflow if you find any.  

0 Likes
Reply
Robert Young

‎Apr 21 2021 04:04 PM

‎Apr 21 2021 04:04 PM

Re: Close incident MCAS Playbook

if i understand correctly then, this should close an mcas alert once it has triggered an alert in Sentinel then. That may work....not ideal but the end results is we do not want to chase alerts through multiple systems.

Maybe I will try and craft something that will batch it a couple times a day and that way, I can at least close it with the same classification that I used to close it in Sentinel.

Thanks for the tips and input
0 Likes
Reply