How to close sentinel bulk incidents

vezgeta 

Query to bulk delete incidents and close incident from Azure Cloud Shell console by Title name:

Make sure to have a role Microsoft Sentinel Contributor to run this query in your subscription

First open PowerShell as administrator and install Az PowerShell module:
Install-Module -Name Az -Repository PSGallery
Then Install Az.SecurityInsights module:
Install-Module -Name Az.SecurityInsights
Login to AZ with PowerShell:
Connect-AzAccount
Run this command to close incidents (replace XXXX with needed information):

Query to DELETE incidents by Title:

Get-AzSentinelIncident -ResourceGroupName "XXXX" -workspaceName "XXXX" | Where-Object {$_.Title -eq "YOUR_TITLE_HERE"} | ForEach-Object { Remove-AzSentinelIncident -PassThru -ResourceGroupName "XXXX" -WorkspaceName "XXXX" -id $_.Name}

Query to bulk CLOSE incidents by Title:

Get-AzSentinelIncident -ResourceGroupName "XXXX" -workspaceName "XXXX" | Where-Object {$_.Title -eq "YOUR_TITLE_HERE"} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "XXXX" -WorkspaceName "XXXX" -SubscriptionId "XXXX" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}

These operations can take a long time, so it recommended running them in the background by using "&" at the end of the query and run the query 3-5 times, so the speed to close/delete incidents will be 3-5 times faster.

You can check the progress of each task by Get-Jobs

Rod_Trent 

I tried to use reference playbook however, I keep getting a failure:

$uri = "reference uri"

$header = @{'Content-Type' = 'application/json'}

$json = @"
{ "bulkoperation": {
"operationtype": "kql",
"operationquery": "SecurityIncident | where TimeGenerated >= ago(7d) | where Status == 'New'",
"operationstatus": "Closed"
}
}
"@

Invoke-WebRequest -Uri $uri -Method POST -Body $json -ContentType "application/json"