Dec 08 2022 12:46 AM
Hi All,
I am trying to close all MS Sentinel incidents via PowerShell using below script.
Get-AzSentinelIncident -WorkspaceName "XXXXXX_XXXXXX" -All | Where-Object {$_.status -eq "New"} | ForEach-Object {update-AzSentinelIncident -WorkspaceName "XXXXXXXXXXXXXXXX" -CaseNumber $_.CaseNumber -Status Closed -CloseReason FalsePositive -ClosedReasonText "Bulk Closure " -Confirm:$false}
This works fine for incidents, triggered in last 48 hr. For older incident (older than 48 hr) it is giving below error.
Update-AzSentinelIncident: Unable to update Incident 7833 with error message Response status code does not indicate success: 500 (Internal Server Error).
Please help me over here, as I need to close over 8k old incidents.
Dec 08 2022 05:14 AM
Hi @pecific147
It might be the actual number of Incidents that are the problem versus the time range. Let me do some digging around here to find out.
I understand those Incidents existing in the workspace can be annoying, but they will expire from the workspace based on your retention setting.
Dec 13 2022 02:40 AM
Oct 17 2023 04:18 AM
Oct 17 2023 04:59 AM
Oct 17 2023 06:51 AM
@GBushey I have closed around 14K of incidents because of misconfigured analytic rule. It took some time and also I have modified the search parametar to close specific incidents with similar name. Just replace YYY with the similar name of incident.
Get-AzSentinelIncident -ResourceGroupName "xxxx" -WorkspaceName "xxxx" | Where-Object {$_.Status -eq "New"} | Where-Object {$_.title -like '*YYY*'} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "xxxx" -WorkspaceName "xxxx" -SubscriptionId "xxxx" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}