Forum Discussion
Azure Sentinel how to clear Threat Intelligence Indicator table
Is there a way to do a bulk delete of all indicators? I have the DShieldScanningIPs source with over 100 thousand IP and I'd like to delete them all but it appears I can only delete 100 of them at a...
GaryBushey No, I want to get rid of all data from Threat Intelligence from a specific source (in this case "DShieldScanningIPs") which is no longer useful for me. I still have other sources data that I want to keep.
william890 How comfortable are you with making REST API calls? The call to delete a single IOC is:
https://management.azure.com/subscriptions/<Subscription>/resourceGroups/>ResourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<workspacename>/providers/Microsoft.SecurityInsights/threatintelligence/main/indicators/<indicatorGUID>?api-version=2019-01-01-previewThere is also a "queryIndicators" call that will allow you to filter what you see by source and other properties. Go to azure-rest-api-specs/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview at main · Azure/azure-rest-api-specs (github.com) for more information on it.
