Forum Discussion

Pavan_Gelli1910's avatar
Pavan_Gelli1910
Brass Contributor
Jan 03, 2020

How to close sentinel incidents using PS

Hi Team,   Few days back, i have enabled default Analytics rules related to Azure Key Vault(AKV). After that i was hit with many incidents(approx 10K) got triggered related AKV. Now i want bulk clo...
GaryBushey's avatar
GaryBushey
Bronze Contributor
Jan 03, 2020

Pavan_Gelli1910 There are no supported PowerShell commands for working with Sentinel although the people at Wortell did an amazing job coming up with some PowerShell commands on their own that make use of the unsupported Azure Sentinel REST APIs calls.

 

With that said, depending on your level of PowerShell skill and using those commands as a baseline, you can go to the Azure Sentinel REST specification page at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview    to get information on the APIs that can be used to do what you want.  A couple of things to remember:

1) Azure Sentinel used to be called Azure Security Insights, hence the API name

2) Incidents used to be called Cases so look for that in the API calls.

Resources