Forum Discussion
Azure Sentinel how to clear Threat Intelligence Indicator table
william890 If it is old data you want to get rid of and you always only want to keep the newer data you can set data type retention: Manage usage and costs for Azure Monitor Logs - Azure Monitor | Microsoft Docs
This way you can set your table to only hold 30 days for example, while the other tables will still retain 90 days
GaryBushey No, I want to get rid of all data from Threat Intelligence from a specific source (in this case "DShieldScanningIPs") which is no longer useful for me. I still have other sources data that I want to keep.
william890 How comfortable are you with making REST API calls? The call to delete a single IOC is:
https://management.azure.com/subscriptions/<Subscription>/resourceGroups/>ResourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<workspacename>/providers/Microsoft.SecurityInsights/threatintelligence/main/indicators/<indicatorGUID>?api-version=2019-01-01-previewThere is also a "queryIndicators" call that will allow you to filter what you see by source and other properties. Go to azure-rest-api-specs/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview at main · Azure/azure-rest-api-specs (github.com) for more information on it.
- Funny enough I have this exact problem, DShield throws so many FP when mapping to signin events etc. I couldn’t find a way to bulk delete sadly, after searching high and low.
I ended up editing the query to basically != DShield and then wait for the retention to kick in and remove.
Will be interested if someone comes with an answer to bill delete though!
