Forum Discussion
How to close sentinel incidents using PS
Hi Team,
Few days back, i have enabled default Analytics rules related to Azure Key Vault(AKV). After that i was hit with many incidents(approx 10K) got triggered related AKV. Now i want bulk close all of them using PS. Because on UI i can only close 100 incidents in one shot.
I also agree that i need to understand and fine tune the AKV detection rules thoroughly to avoid the alert fatigue.
Please help.
Thanks.
5 Replies
Hi, have a script that I have tested on 14K of incidents.
First open PowerShell as administrator and install Az PowerShell module:
Install-Module -Name Az -Repository PSGallery
Then Install Az.SecurityInsights module:
Install-Module -Name Az.SecurityInsights
Login to AZ with PowerShell:
Connect-AzAccount
Run this command to close incidents (replace xxxx with the needed information and YYY with the part of the name of similar incidents that you want to close):
Get-AzSentinelIncident -ResourceGroupName "xxxx" -WorkspaceName "xxxx" | Where-Object {$_.Status -eq "New"} | Where-Object {$_.title -like '*YYY*'} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "xxxx" -WorkspaceName "xxxx" -SubscriptionId "xxxx" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}- Is there a way to do this with the new PS module? To close multiple incidents using the BenignPositive classification by Incident ID instead of the ARM ID?
get-AzSentinelIncident -WorkspaceName <"Workspace Name"> | ForEach-Object {update-AzSentinelIncident -WorkspaceName <"Workspace Name"> l -CaseNumber $_.CaseNumber -Status Closed -CloseReason FalsePositive -Confirm:$false}
Better late than never on this question...
There is now a really nice suite of powershell commands for Azure Sentinel.
Check this out:
https://www.pkm-technology.com/page/2/
https://www.powershellgallery.com/packages/AzSentinel/0.6.2
And to answer your question you could do a simple loop like this:
888..934| % {Update-AzSentinelIncident -WorkspaceName "<workspace name>" -CaseNumber $_ -Status Closed}In the above example I'm closing incidents with case numbers 888 to 934.
Pavan_Gelli1910 There are no supported PowerShell commands for working with Sentinel although the people at Wortell did an amazing job coming up with some PowerShell commands on their own that make use of the unsupported Azure Sentinel REST APIs calls.
With that said, depending on your level of PowerShell skill and using those commands as a baseline, you can go to the Azure Sentinel REST specification page at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview to get information on the APIs that can be used to do what you want. A couple of things to remember:
1) Azure Sentinel used to be called Azure Security Insights, hence the API name
2) Incidents used to be called Cases so look for that in the API calls.
