История

dicolanl 525d001024 Updating Deploy buttons and links part 1		2021-06-16 00:25:40 +00:00
..
azuredeploy.json	New playbook created to dismiss upstream events.	2020-08-25 14:25:35 +01:00
readme.md	Updating Deploy buttons and links part 1	2021-06-16 00:25:40 +00:00

readme.md

Dismiss-Upstream-Events

author: Bridewell Consulting - Robert Kitching

This playbook will close/dismiss upstream events in MDATP, MCAS and Azure Security Center when closed in Sentinel. The playbook will run on a preselected recurrence schedule.

Inspired by [https://github.com/bridewellconsulting/Azure-Sentinel/tree/master/Playbooks/Close-Incident-ASCAlert] (https://github.com/bridewellconsulting/Azure-Sentinel/tree/master/Playbooks/Close-Incident-ASCAlert)

Notes

This playbook will account for API pagination. Default page size is set to 50, please alter as appropriate.

The default interval and frequency is set to 6 hours.

Additional Post Install Notes:

The Logic App uses a Managed System Identity to authenticate and authorize against management.azure.com to retrieve the data from the API. Be sure to turn on the System Assigned Identity in the Logic App.

For MCAS you will need to generate an access token.

Assign RBAC 'Log Analytic Reader' and 'Security Admin' to the Logic App at the required level.