Forum Discussion
Unable to Delete Threat Intelligence Indicator
No, you cannot completely and permanently delete a single record from the ThreatIntelligenceIndicator table as if it never existed.
To ensure your analytics rule only triggers on indicators that are currently active and not deleted, you must modify your KQL query to filter out the deleted ones.
// Step 1: Get the latest state for each indicator
let latest_indicators = ThreatIntelligenceIndicator
| summarize arg_max(TimeGenerated, *) by IndicatorId;
// Step 2: Filter out any indicators where the latest state is 'delete'
let active_indicators = latest_indicators
| where Action != "delete";
// Now, use 'active_indicators' in the rest of your query
// For example, joining with SigninLogs
active_indicators
| where isnotempty(NetworkIP)
| join kind=inner (
SigninLogs
) on $left.NetworkIP == $right.IPAddress
// Add other conditions and projections here
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
No, you cannot completely and permanently delete a single record from the ThreatIntelligenceIndicator table as if it never existed.
To ensure your analytics rule only triggers on indicators that are currently active and not deleted, you must modify your KQL query to filter out the deleted ones.
// Step 1: Get the latest state for each indicator
let latest_indicators = ThreatIntelligenceIndicator
| summarize arg_max(TimeGenerated, *) by IndicatorId;
// Step 2: Filter out any indicators where the latest state is 'delete'
let active_indicators = latest_indicators
| where Action != "delete";
// Now, use 'active_indicators' in the rest of your query
// For example, joining with SigninLogs
active_indicators
| where isnotempty(NetworkIP)
| join kind=inner (
SigninLogs
) on $left.NetworkIP == $right.IPAddress
// Add other conditions and projections here
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress