Forum Discussion
Bulk Closure of old Incidents via PowerShell
Hi All, I am trying to close all MS Sentinel incidents via PowerShell using below script. Get-AzSentinelIncident -WorkspaceName "XXXXXX_XXXXXX" -All | Where-Object {$_.status -eq "New"} | Fo...
Like Rod mentioned, it may be the total amount of rules you are trying to work with that is causing the issue. I have not looked at the code for "Get-AzSentinelIncident" but the REST API only returns 50 items at one time by default. You could call the REST API directly and then use the "nextLink" that gets returned as the "skipToken" for the next call and iterate through your 8K incidents that way. https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/list?tabs=HTTP
GBushey I have closed around 14K of incidents because of misconfigured analytic rule. It took some time and also I have modified the search parametar to close specific incidents with similar name. Just replace YYY with the similar name of incident.
Get-AzSentinelIncident -ResourceGroupName "xxxx" -WorkspaceName "xxxx" | Where-Object {$_.Status -eq "New"} | Where-Object {$_.title -like '*YYY*'} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "xxxx" -WorkspaceName "xxxx" -SubscriptionId "xxxx" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}