Forum Discussion

Pavan_Gelli1910's avatar
Pavan_Gelli1910
Brass Contributor
Jan 03, 2020

How to close sentinel incidents using PS

Hi Team,   Few days back, i have enabled default Analytics rules related to Azure Key Vault(AKV). After that i was hit with many incidents(approx 10K) got triggered related AKV. Now i want bulk clo...
vezgeta's avatar
vezgeta
Copper Contributor
Oct 17, 2023

Pavan_Gelli1910 

 

Hi, have a script that I have tested on 14K of incidents.

 

First open PowerShell as administrator and install Az PowerShell module:
Install-Module -Name Az -Repository PSGallery
Then Install Az.SecurityInsights module:
Install-Module -Name Az.SecurityInsights
Login to AZ with PowerShell:
Connect-AzAccount
Run this command to close incidents (replace xxxx with the needed information and YYY with the part of the name of similar incidents that you want to close):
Get-AzSentinelIncident -ResourceGroupName "xxxx" -WorkspaceName "xxxx" | Where-Object {$_.Status -eq "New"} | Where-Object {$_.title -like '*YYY*'} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "xxxx" -WorkspaceName "xxxx" -SubscriptionId "xxxx" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}

Resources