Sync of alert status

Occasional Contributor

Within Sentinel we have various inegrations (like MCAS, Defender ATP, etc.). We have some Playbooks within MCAS which change the status of some alerts. These changes are not reflected within Sentinel. When the status of an alert in MCAS is set to resolved, the status within Defender does not change. Is this something planned to adapt in future? 

 

 

2 Replies

@CurlX Yes, this is a common request.

 

Have you seen the following Playbook workaround for ASC?

 

https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Close-Incident-ASCAlert 

@rodtrent 

Thanks for the link. I have seen this playbook during some research, it says: 

This playbook will close the Sentinel incident and will also dismiss the corresponding Azure Security Center alert. 

 

I think we have to make new automations in Sentinel. So far, we used Power Automate within Cloud App Security for Automation for example to close an alert. So while the status in MCAS is resolved, the status in Sentinel is still new. It would have  been great, if the status would be updated in Sentinel according to the status the alert has in MCAS.