Forum Discussion
Bulk Closure of old Incidents via PowerShell
Hi All, I am trying to close all MS Sentinel incidents via PowerShell using below script. Get-AzSentinelIncident -WorkspaceName "XXXXXX_XXXXXX" -All | Where-Object {$_.status -eq "New"} | Fo...
Features
- 🚀 Bulk closure of all open incidents regardless of severity
- ⏱️ Pagination handling for reliable processing of large volumes
- 🔄 Automatic retries for failed operations
- 📊 Detailed reporting with success/failure counts
- ⚙️ Configurable parameters for batch size and delays
<#
.SYNOPSIS
Bulk closes ALL Microsoft Sentinel incidents (all severities) without manual intervention.
.DESCRIPTION
Closes all open incidents in batches with automatic retries and proper pagination handling.
#>
# Configuration
$config = @{
ResourceGroupName = "<resource_group_name"
WorkspaceName = "<log_analytic_workspace_name>"
SubscriptionId = "<subscription_id>"
PageSize = 100 # Reduced for better pagination handling
RetryAttempts = 2 # Retries per incident
DelayBetweenCalls = 2 # Seconds between API calls
}
# Initialize counters
$totalClosed = 0
$failedIncidents = [System.Collections.Generic.List[string]]::new()
function Close-AllIncidents {
$continue = $true
$nextLink = $null
while ($continue) {
try {
# Get incidents with proper pagination handling
if ($nextLink) {
$incidents = Get-AzSentinelIncident -NextLink $nextLink
}
else {
$incidents = Get-AzSentinelIncident -ResourceGroupName $config.ResourceGroupName `
-WorkspaceName $config.WorkspaceName `
-Filter "properties/status eq 'New'" `
-Top $config.PageSize
}
if (-not $incidents -or $incidents.Count -eq 0) {
$continue = $false
break
}
# Store nextLink for pagination
$nextLink = $incidents.NextLink
# Process incidents
foreach ($incident in $incidents) {
$retryCount = 0
$closed = $false
while ($retryCount -lt $config.RetryAttempts -and -not $closed) {
try {
Update-AzSentinelIncident -Id $incident.Name `
-ResourceGroupName $config.ResourceGroupName `
-WorkspaceName $config.WorkspaceName `
-SubscriptionId $config.SubscriptionId `
-Status Closed `
-Confirm:$false `
-Severity $incident.Severity `
-Classification Undetermined `
-Title $incident.Title `
-ErrorAction Stop
$script:totalClosed++
$closed = $true
Write-Host "Closed incident: $($incident.Name)" -ForegroundColor Green
} catch {
$retryCount++
if ($retryCount -ge $config.RetryAttempts) {
$script:failedIncidents.Add($incident.Name)
Write-Host "Failed to close incident: $($incident.Name) - $($_.Exception.Message)" -ForegroundColor Red
}
Start-Sleep -Milliseconds 500
}
}
}
Write-Host "Processed $($incidents.Count) incidents | Total closed: $totalClosed"
# Add delay between API calls
Start-Sleep -Seconds $config.DelayBetweenCalls
} catch {
Write-Host "Error processing batch: $_" -ForegroundColor Red
$continue = $false
}
}
}
# Main execution
Write-Host "Starting bulk incident closure process..." -ForegroundColor Cyan
Write-Host "Configuration:"
Write-Host "- Page Size: $($config.PageSize)"
Write-Host "- Retry Attempts: $($config.RetryAttempts)"
Write-Host "- Delay Between Calls: $($config.DelayBetweenCalls)s"
Write-Host ""
Close-AllIncidents
# Results
Write-Host @"
============================================
Bulk closure process completed
Total incidents closed: $totalClosed
Failed to close: $($failedIncidents.Count)
============================================
"@ -ForegroundColor Cyan
if ($failedIncidents.Count -gt 0) {
Write-Host "Failed incident IDs:" -ForegroundColor Yellow
$failedIncidents | ForEach-Object { Write-Host "- $_" }
}
Write-Host "Process completed at $(Get-Date)" -ForegroundColor Cyan