cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bulk Closure of old Incidents via PowerShell

pecific147
Copper Contributor

‎Dec 08 2022 12:46 AM

‎Dec 08 2022 12:46 AM

Bulk Closure of old Incidents via PowerShell

Hi All, 

 

I am trying to close all MS Sentinel incidents via PowerShell using below script.

 

Get-AzSentinelIncident -WorkspaceName "XXXXXX_XXXXXX" -All | Where-Object {$_.status -eq "New"} | ForEach-Object {update-AzSentinelIncident  -WorkspaceName "XXXXXXXXXXXXXXXX" -CaseNumber $_.CaseNumber -Status Closed -CloseReason FalsePositive -ClosedReasonText "Bulk Closure " -Confirm:$false}

 

This works fine for incidents, triggered in last 48 hr.  For older incident (older than 48 hr) it is giving below error.


Update-AzSentinelIncident: Unable to update Incident 7833 with error message Response status code does not indicate success: 500 (Internal Server Error).

 

Please help me over here, as I need to close over 8k old incidents.

 

@Rod Trent 

Labels:
1,555 Views
0 Likes
5 Replies
Reply
5 Replies
Rod_Trent

‎Dec 08 2022 05:14 AM

‎Dec 08 2022 05:14 AM

Re: Bulk Closure of old Incidents via PowerShell

Hi @pecific147 

 

It might be the actual number of Incidents that are the problem versus the time range. Let me do some digging around here to find out.

 

I understand those Incidents existing in the workspace can be annoying, but they will expire from the workspace based on your retention setting.

 

 

0 Likes
Reply
pecific147

‎Dec 13 2022 02:40 AM

‎Dec 13 2022 02:40 AM

Re: Bulk Closure of old Incidents via PowerShell

Hi @Rod_Trent,

Did you find anything,?
Workspace retention is 365 days, so waiting for retention to expire won't work.
0 Likes
Reply
vezgeta

‎Oct 17 2023 04:18 AM

‎Oct 17 2023 04:18 AM

Re: Bulk Closure of old Incidents via PowerShell

Run this command to close incidents (replace XXXX with needed information):
Get-AzSentinelIncident -ResourceGroupName "xxxx" -WorkspaceName "xxxx" | Where-Object {$_.Status -eq "New"} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "xxxx" -WorkspaceName "xxxx" -SubscriptionId "xxxx" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}
1 Like
Reply
GBushey

‎Oct 17 2023 04:59 AM

‎Oct 17 2023 04:59 AM

Re: Bulk Closure of old Incidents via PowerShell

Like Rod mentioned, it may be the total amount of rules you are trying to work with that is causing the issue. I have not looked at the code for "Get-AzSentinelIncident" but the REST API only returns 50 items at one time by default. You could call the REST API directly and then use the "nextLink" that gets returned as the "skipToken" for the next call and iterate through your 8K incidents that way. https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents/list?tabs=HTTP
0 Likes
Reply
vezgeta

‎Oct 17 2023 06:51 AM

‎Oct 17 2023 06:51 AM

Re: Bulk Closure of old Incidents via PowerShell

@GBushey I have closed around 14K of incidents because of misconfigured analytic rule. It took some time and also I have modified the search parametar to close specific incidents with similar name.  Just replace YYY with the similar name of incident.

 

Get-AzSentinelIncident -ResourceGroupName "xxxx" -WorkspaceName "xxxx" | Where-Object {$_.Status -eq "New"} | Where-Object {$_.title -like '*YYY*'} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "xxxx" -WorkspaceName "xxxx" -SubscriptionId "xxxx" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}

0 Likes
Reply