Retrieve "dismiss alert" logs in Sentinel

Occasional Contributor

Hello everyone :smile:,

 

I hope you all doing well, I'm trying to retrieve the dismiss alerts logs for MCAS in Azure Sentinel using Azure Log Analytics, however I don't have the raw data as usual which doesn't enable me to know the log type. Are these activities retrievable by any chance (using KQL, API) ?

 

Capture3.PNG

Thank you,

Stay safe.

 

Alexander

4 Replies

@Alexander_Ceyran no, you can't retrieve them into your workspace.

 

It is possible write a playbook from Sentinel that will dismiss the alerts in MCAS, was this what you were trying to achieve?

 

Sarah

@Sarah_Young  I am looking to be able to write a playbook, which will close an MCAS alert in Sentinel and dismiss the corresponding alert in MCAS.

@Sarah_Young Thank you. This should work