Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender Sentinel Sync

Copper Contributor
The status of an incident in Sentinel does not sync with Microsoft 365 Defender (Alert product name Microsoft Cloud App Security) when the incident is closed. Has anyone else encountered this issue?
I expected Microsoft 365 Defender and Sentinel to sync incidents on status, owner, and closing reason bi-directionally.
 
Thanks
4 Replies
Yes, we are using Defender 365(Preview) connector

@NicS we have a similar issue -

Did you have any success with automating closure of MCAS with correct status?  I found this article about using API connection, but it's from 2020 so I'm unsure if it is still required.

Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel - Microsoft Tech Community

 

In our case, with the Sentinel security extension enabled in MCAS, Sentinel does not update MCAS alert at all.  If we disable the security extension, it does update but incorrectly e.g. Close an alert in Sentinel as False Positive - benign, automatically closes alert in MCAS as True Positive.

 

Anyone know how to get MCAS updated correctly based on Sentinel Incident closure?

 

I assume this matters because the logic for alerting in MCAS would be skewed by alerts being closed with incorret status?

 

In our case a removal and redeployment of the Defender for Cloud solution in Sentinel has resolved the issue. There was also some confusion with closing incidents as benign positive in Sentinel. Benign positive is reported as 'True positive' in areas of Defender for Cloud Apps (specifically when opening an incident in Cloud Apps portal, you are notified that MSATP has automatically resolved the incident as True Positive). This is all good of course, since the different portals do not have the same selections for resolution or closure (you even 'close' an incident in Sentinel as opposed to 'resolved' in Cloud Apps) =)
Semantics really! True and Benign positives are both 'True' posiitves so it is expected (but potentially confusing).