Forum Discussion

Akila2's avatar
Akila2
Copper Contributor
Sep 04, 2025
Solved

Unable to Delete Threat Intelligence Indicator

Hi,

For testing purposes, I added a TI indicator in Sentinel via the UI. When I deleted it, the indicator disappeared from the UI, but the record still exists in the ThreatIntelIndicators table.

From what I’ve observed, every modification to a TI indicator leaves a record in the table, almost like an audit trail. So now I see two records:

  • One for the original creation
  • One for the deletion action

The issue is that I’m building a rule based on this table, and it still matches the “created” record even though the indicator was deleted.

I’ve already tried both:

az sentinel threat-indicator delete module and REST API.

But I got server errors.

Is there any way to completely delete a TI record from the ThreatIntelIndicators table ?

Thanks in advance.

threat intelligence
  • vimal_raj1984hotmail's avatar
    vimal_raj1984hotmail
    Sep 09, 2025

    No, you cannot completely and permanently delete a single record from the ThreatIntelligenceIndicator table as if it never existed.

     

    To ensure your analytics rule only triggers on indicators that are currently active and not deleted, you must modify your KQL query to filter out the deleted ones.

     

    // Step 1: Get the latest state for each indicator
    let latest_indicators = ThreatIntelligenceIndicator
    | summarize arg_max(TimeGenerated, *) by IndicatorId;
    // Step 2: Filter out any indicators where the latest state is 'delete'
    let active_indicators = latest_indicators
    | where Action != "delete";
    // Now, use 'active_indicators' in the rest of your query
    // For example, joining with SigninLogs
    active_indicators
    | where isnotempty(NetworkIP)
    | join kind=inner (
        SigninLogs
    ) on $left.NetworkIP == $right.IPAddress
    // Add other conditions and projections here
    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress

3 Replies

  • Akila2's avatar
    Akila2
    Copper Contributor
    Sep 10, 2025

    Thanks for clarifying this! The explanation and sample KQL are very helpful. I’ll update my rule to filter out deleted indicators as suggested.

  • Akila2's avatar
    Akila2
    Copper Contributor
    Sep 10, 2025

    Thanks for clarifying this! The explanation and sample KQL are very helpful. I’ll update my rule to filter out deleted indicators as suggested.

  • vimal_raj1984hotmail's avatar
    vimal_raj1984hotmail
    MCT
    Sep 09, 2025

    No, you cannot completely and permanently delete a single record from the ThreatIntelligenceIndicator table as if it never existed.

     

    To ensure your analytics rule only triggers on indicators that are currently active and not deleted, you must modify your KQL query to filter out the deleted ones.

     

    // Step 1: Get the latest state for each indicator
    let latest_indicators = ThreatIntelligenceIndicator
    | summarize arg_max(TimeGenerated, *) by IndicatorId;
    // Step 2: Filter out any indicators where the latest state is 'delete'
    let active_indicators = latest_indicators
    | where Action != "delete";
    // Now, use 'active_indicators' in the rest of your query
    // For example, joining with SigninLogs
    active_indicators
    | where isnotempty(NetworkIP)
    | join kind=inner (
        SigninLogs
    ) on $left.NetworkIP == $right.IPAddress
    // Add other conditions and projections here
    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress

Resources