Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Close MCAS alert via API

Brass Contributor
Good afternoon people.

I am drawing a flow in the Logic App to close the alert in MCAS.

I have little experience with API and would like to get help.

I was using the API call via the path [
[XXXX.us3.portal.cloudappsecurity.com/api/v1/alerts/ID_ALERT/dismiss/]to end the alert as a false positive.

The documentation updated and reported that this feature is obsolete,
passing using the path [api / v1 / alerts / close_false_positive /] with filters, as reported here [ docs.microsoft.com/en-us/cloud-app-security/api-alerts-close-false-positive ]

The point is that I am not sure how to pass the filters through the Logic APP in HTTP POST of this new format.

Can anyone help me in this regard?

Old process:

process.PNG

 

 

 
5 Replies

@Luizao_f Hello,

 

This is what I've been doing from my end and it seems to be working fine. Please give it a try and see how it goes.

Where MCASTenant is the name of the tenant. Make sure that you have a token for authorization. I assume that you are well aware as to how the token has to be generated. Make no changes value of the header should be (Token followed the token generated). In case you do not know how to generate a token here's the link(https://docs.microsoft.com/en-us/cloud-app-security/api-tokens)

Pranesh1060_0-1606916298301.png

 

Add this to your Body

where Href is the alert id generated in MCAS. For testing copy the id from Sentinel incident and try to execute, at a later stage pass this as a variable. 

Pranesh1060_1-1606916427564.png

Hope this works for you!!.

 

 

@Pranesh1060 
Very good. I tested your process and it worked correctly. Thank you. Show.

My second step is to close open incidents in Defender ATP. Do you have something like that? Are you ending incidents on another technology through the Logic App?

@Luizao_f , @Pranesh1060 : note that incident synchronizatoin with all Microsoft 365 defender sources is already in private preview.

@Ofer_Shezaf 

Is this reverse closure mentioned above about Micrososft 365 Security Center (https://security.microsoft.com)? I use Azure Sentinel as a centralizer, so I am trying to create integrations for the reserve closure.

@Luizao_f We do have the connector available which can update the alert directly in MDATP and perform other operations like Run AV scan, Collect packages for investigation etc etc. The action you are looking for is update alert. Maybe you can use the same logic to split and isolate the alert id and then close it. 

Pranesh1060_0-1607347421247.png