Forum Discussion
Close MCAS alert via API
Good afternoon people.
I am drawing a flow in the Logic App to close the alert in MCAS.
I have little experience with API and would like to get help.
I was using the API call via the path [
[XXXX.us3.portal.cloudappsecurity.com/api/v1/alerts/ID_ALERT/dismiss/]to end the alert as a false positive.
The documentation updated and reported that this feature is obsolete,
passing using the path [api / v1 / alerts / close_false_positive /] with filters, as reported here [ docs.microsoft.com/en-us/cloud-app-security/api-alerts-close-false-positive ]
The point is that I am not sure how to pass the filters through the Logic APP in HTTP POST of this new format.
Can anyone help me in this regard?
Old process:
Luizao_f Hello,
This is what I've been doing from my end and it seems to be working fine. Please give it a try and see how it goes.
Where MCASTenant is the name of the tenant. Make sure that you have a token for authorization. I assume that you are well aware as to how the token has to be generated. Make no changes value of the header should be (Token followed the token generated). In case you do not know how to generate a token here's the link(https://docs.microsoft.com/en-us/cloud-app-security/api-tokens)
Add this to your Body
where Href is the alert id generated in MCAS. For testing copy the id from Sentinel incident and try to execute, at a later stage pass this as a variable.
Hope this works for you!!.
Pranesh1060
Very good. I tested your process and it worked correctly. Thank you. Show.
My second step is to close open incidents in Defender ATP. Do you have something like that? Are you ending incidents on another technology through the Logic App?- Ofer_Shezaf
Microsoft
Luizao_f , Pranesh1060 : note that incident synchronizatoin with all Microsoft 365 defender sources is already in private preview.
