История

Robert Kitching 3a00f55587 New playbook created to dismiss upstream events.		2020-08-25 14:25:35 +01:00
..
azuredeploy.json	New playbook created to dismiss upstream events.	2020-08-25 14:25:35 +01:00
readme.md	New playbook created to dismiss upstream events.	2020-08-25 14:25:35 +01:00

readme.md

Dismiss-Upstream-Events

author: Bridewell Consulting - Robert Kitching

This playbook will close/dismiss upstream events in MDATP, MCAS and Azure Security Center when closed in Sentinel. The playbook will run on a preselected recurrence schedule.

Inspired by [https://github.com/bridewellconsulting/Azure-Sentinel/tree/master/Playbooks/Close-Incident-ASCAlert] (https://github.com/bridewellconsulting/Azure-Sentinel/tree/master/Playbooks/Close-Incident-ASCAlert)

Notes

This playbook will account for API pagination. Default page size is set to 50, please alter as appropriate.

The default interval and frequency is set to 6 hours.

Additional Post Install Notes:

The Logic App uses a Managed System Identity to authenticate and authorize against management.azure.com to retrieve the data from the API. Be sure to turn on the System Assigned Identity in the Logic App.

For MCAS you will need to generate an access token.

Assign RBAC 'Log Analytic Reader' and 'Security Admin' to the Logic App at the required level.