How to close sentinel incidents using PS

%3CLINGO-SUB%20id%3D%22lingo-sub-1086971%22%20slang%3D%22en-US%22%3EHow%20to%20close%20sentinel%20incidents%20using%20PS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086971%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFew%20days%20back%2C%20i%20have%20enabled%20default%20Analytics%20rules%20related%20to%20Azure%20Key%20Vault(AKV).%20After%20that%20i%20was%20hit%20with%20many%20incidents(approx%2010K)%20got%20triggered%20related%20AKV.%20Now%20i%20want%20bulk%20close%20all%20of%20them%20using%20PS.%20Because%20on%20UI%20i%20can%20only%20close%20100%20incidents%20in%20one%20shot.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20agree%20that%20i%20need%20to%20understand%20and%20fine%20tune%20the%20AKV%20detection%20rules%20thoroughly%20to%20avoid%20the%20alert%20fatigue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1086971%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EClose%20sentinel%20incidents%20using%20PS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1086985%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20close%20sentinel%20incidents%20using%20PS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086985%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492724%22%20target%3D%22_blank%22%3E%40Pavan_Gelli1910%3C%2FA%3E%26nbsp%3BThere%20are%20no%20supported%20PowerShell%20commands%20for%20working%20with%20Sentinel%20although%20the%20people%20at%20Wortell%20did%20an%20amazing%20job%20coming%20up%20with%20some%20PowerShell%20commands%20on%20their%20own%20that%20make%20use%20of%20the%20unsupported%20Azure%20Sentinel%20REST%20APIs%20calls.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20that%20said%2C%20depending%20on%20your%20level%20of%20PowerShell%20skill%20and%20using%20those%20commands%20as%20a%20baseline%2C%20you%20can%20go%20to%20the%20Azure%20Sentinel%20REST%20specification%20page%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B%20to%20get%20information%20on%20the%20APIs%20that%20can%20be%20used%20to%20do%20what%20you%20want.%26nbsp%3B%20A%20couple%20of%20things%20to%20remember%3A%3C%2FP%3E%3CP%3E1)%20Azure%20Sentinel%20used%20to%20be%20called%20Azure%20Security%20Insights%2C%20hence%20the%20API%20name%3C%2FP%3E%3CP%3E2)%20Incidents%20used%20to%20be%20called%20Cases%20so%20look%20for%20that%20in%20the%20API%20calls.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi Team,

 

Few days back, i have enabled default Analytics rules related to Azure Key Vault(AKV). After that i was hit with many incidents(approx 10K) got triggered related AKV. Now i want bulk close all of them using PS. Because on UI i can only close 100 incidents in one shot. 

 

I also agree that i need to understand and fine tune the AKV detection rules thoroughly to avoid the alert fatigue.

 

Please help.

 

Thanks. 

1 Reply
Highlighted

@Pavan_Gelli1910 There are no supported PowerShell commands for working with Sentinel although the people at Wortell did an amazing job coming up with some PowerShell commands on their own that make use of the unsupported Azure Sentinel REST APIs calls.

 

With that said, depending on your level of PowerShell skill and using those commands as a baseline, you can go to the Azure Sentinel REST specification page at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...    to get information on the APIs that can be used to do what you want.  A couple of things to remember:

1) Azure Sentinel used to be called Azure Security Insights, hence the API name

2) Incidents used to be called Cases so look for that in the API calls.