cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure Sentinel how to clear Threat Intelligence Indicator table

william890
Copper Contributor

‎Mar 09 2022 03:39 AM

‎Mar 09 2022 03:39 AM

Azure Sentinel how to clear Threat Intelligence Indicator table

Is there a way to do a bulk delete of all indicators? I have the DShieldScanningIPs  source with over 100 thousand IP and I'd like to delete them all but it appears I can only delete 100 of them at a time. This will take a while.

3,987 Views
0 Likes
4 Replies
Reply
4 Replies
Gary Bushey

‎Mar 09 2022 04:22 AM

‎Mar 09 2022 04:22 AM

Re: Azure Sentinel how to clear Threat Intelligence Indicator table

@william890 If it is old data you want to get rid of and you always only want to keep the newer data you can set data type retention:  Manage usage and costs for Azure Monitor Logs - Azure Monitor | Microsoft Docs

 

This way you can set your table to only hold 30 days for example, while the other tables will still retain 90 days

0 Likes
Reply
william890

‎Mar 09 2022 04:39 AM

‎Mar 09 2022 04:39 AM

Re: Azure Sentinel how to clear Threat Intelligence Indicator table

@Gary Bushey No, I want to get rid of all data from Threat Intelligence from a specific source (in this case "DShieldScanningIPs") which is no longer useful for me. I still have other sources data that I want to keep.

0 Likes
Reply
MattBurrows

‎Mar 12 2022 04:50 PM

‎Mar 12 2022 04:50 PM

Re: Azure Sentinel how to clear Threat Intelligence Indicator table

Funny enough I have this exact problem, DShield throws so many FP when mapping to signin events etc. I couldn’t find a way to bulk delete sadly, after searching high and low.

I ended up editing the query to basically != DShield and then wait for the retention to kick in and remove.

Will be interested if someone comes with an answer to bill delete though!
0 Likes
Reply
Gary Bushey

‎Mar 14 2022 09:52 AM

‎Mar 14 2022 09:52 AM

Re: Azure Sentinel how to clear Threat Intelligence Indicator table

@william890 How comfortable are you with making REST API calls?  The call to delete a single IOC is:

https://management.azure.com/subscriptions/<Subscription>/resourceGroups/>ResourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<workspacename>/providers/Microsoft.SecurityInsights/threatintelligence/main/indicators/<indicatorGUID>?api-version=2019-01-01-preview

 There is also a "queryIndicators" call that will allow you to filter what you see by source and other properties.  Go to azure-rest-api-specs/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/prev... for more information on it.

0 Likes
Reply