Apr 06 2020 03:58 PM
Hello everyone ,
I hope you all doing well, I'm trying to retrieve the dismiss alerts logs for MCAS in Azure Sentinel using Azure Log Analytics, however I don't have the raw data as usual which doesn't enable me to know the log type. Are these activities retrievable by any chance (using KQL, API) ?
Thank you,
Stay safe.
Alexander
Apr 20 2020 02:33 PM
@Alexander_Ceyran no, you can't retrieve them into your workspace.
It is possible write a playbook from Sentinel that will dismiss the alerts in MCAS, was this what you were trying to achieve?
Sarah
Sep 24 2020 06:24 AM
@Sarah_Young I am looking to be able to write a playbook, which will close an MCAS alert in Sentinel and dismiss the corresponding alert in MCAS.
Sep 24 2020 02:49 PM
@sammyredo please look at this example in our Github repo:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Resolve-McasInfrequentCountryAlerts
Oct 12 2020 06:52 AM
@Sarah_Young Thank you. This should work