Forum Discussion

Akila2's avatar
Akila2
Copper Contributor
Sep 04, 2025
Solved

Unable to Delete Threat Intelligence Indicator

Hi, For testing purposes, I added a TI indicator in Sentinel via the UI. When I deleted it, the indicator disappeared from the UI, but the record still exists in the ThreatIntelIndicators table. Fr...
threat intelligence
  • vimal_raj1984hotmail's avatar
    vimal_raj1984hotmail
    Sep 09, 2025

    No, you cannot completely and permanently delete a single record from the ThreatIntelligenceIndicator table as if it never existed.

     

    To ensure your analytics rule only triggers on indicators that are currently active and not deleted, you must modify your KQL query to filter out the deleted ones.

     

    // Step 1: Get the latest state for each indicator
    let latest_indicators = ThreatIntelligenceIndicator
    | summarize arg_max(TimeGenerated, *) by IndicatorId;
    // Step 2: Filter out any indicators where the latest state is 'delete'
    let active_indicators = latest_indicators
    | where Action != "delete";
    // Now, use 'active_indicators' in the rest of your query
    // For example, joining with SigninLogs
    active_indicators
    | where isnotempty(NetworkIP)
    | join kind=inner (
        SigninLogs
    ) on $left.NetworkIP == $right.IPAddress
    // Add other conditions and projections here
    | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress

Akila2's avatar
Akila2
Copper Contributor
Sep 10, 2025

Thanks for clarifying this! The explanation and sample KQL are very helpful. I’ll update my rule to filter out deleted indicators as suggested.

Resources