Sep 06 2021 10:26 AM
We have both Cloud App Security and Azure Sentinel deploy on the environment. When we get alerts from Cloud App Security to Azure Sentinel, we overlook the incidents and close them accordingly. When we do this same alert generated in Cloud App Security side is not being closed. This leads for duplication of jobs where engineer need to close the alert both in Cloud App Security and Azure Sentinel.
Is there a way when we resolve an incident on Sentinel side it's related alerts to be closed in Cloud App Security side?
Sep 06 2021 03:11 PM - edited Oct 14 2022 07:26 AM
This capability is coming.
However, in the interim there's a Playbook available that will accomplish this for you: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Close-Incident-MCAS
Sep 07 2021 12:32 AM