Forum Discussion
Close MCAS alert via API
Luizao_f Hello,
This is what I've been doing from my end and it seems to be working fine. Please give it a try and see how it goes.
Where MCASTenant is the name of the tenant. Make sure that you have a token for authorization. I assume that you are well aware as to how the token has to be generated. Make no changes value of the header should be (Token followed the token generated). In case you do not know how to generate a token here's the link(https://docs.microsoft.com/en-us/cloud-app-security/api-tokens)
Add this to your Body
where Href is the alert id generated in MCAS. For testing copy the id from Sentinel incident and try to execute, at a later stage pass this as a variable.
Hope this works for you!!.
Pranesh1060
Very good. I tested your process and it worked correctly. Thank you. Show.
My second step is to close open incidents in Defender ATP. Do you have something like that? Are you ending incidents on another technology through the Logic App?
- Ofer_ShezafDec 06, 2020Microsoft
Luizao_f , Pranesh1060 : note that incident synchronizatoin with all Microsoft 365 defender sources is already in private preview.
- Luizao_fDec 07, 2020Brass Contributor
Is this reverse closure mentioned above about Micrososft 365 Security Center (https://security.microsoft.com)? I use Azure Sentinel as a centralizer, so I am trying to create integrations for the reserve closure.
- Pranesh1060Dec 07, 2020Brass Contributor
Luizao_f We do have the connector available which can update the alert directly in MDATP and perform other operations like Run AV scan, Collect packages for investigation etc etc. The action you are looking for is update alert. Maybe you can use the same logic to split and isolate the alert id and then close it.