Forum Discussion

securityxpert1122's avatar
securityxpert1122
Copper Contributor
May 31, 2022

How to close sentinel bulk incidents

I would like to know how we can close multiple incidents in bulk using KQL query or any other tested option. Appreciate quick response. 
automation
KQL
siem
soar
  • KentuckyMike2085's avatar
    KentuckyMike2085
    Copper Contributor
    Mar 15, 2023

    Rod_Trent 

     

    I tried to use reference playbook however, I keep getting a failure:

     

    $uri = "reference uri"

    $header = @{'Content-Type' = 'application/json'}

    $json = @"
    { "bulkoperation": {
    "operationtype": "kql",
    "operationquery": "SecurityIncident | where TimeGenerated >= ago(7d) | where Status == 'New'",
    "operationstatus": "Closed"
    }
    }
    "@


    Invoke-WebRequest -Uri $uri -Method POST -Body $json -ContentType "application/json"

  • sachu245's avatar
    sachu245
    Copper Contributor
    Jan 24, 2023
    not able to access the above link
    • Rod_Trent's avatar
      Rod_Trent
      Icon for Microsoft rankMicrosoft
      Jan 24, 2023
      Updated the link.
      • abdul1998's avatar
        abdul1998
        Copper Contributor
        Feb 09, 2023
        not able to access the link..if you paste the query here..it will be useful

Resources