May 31 2022 01:06 PM
I would like to know how we can close multiple incidents in bulk using KQL query or any other tested option. Appreciate quick response.
May 31 2022 02:29 PM - edited Jan 24 2023 07:24 AM
See if the following helps: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Update-BulkIncidents
Jun 01 2022 03:57 AM
Feb 09 2023 02:26 AM
Mar 15 2023 09:10 AM
I tried to use reference playbook however, I keep getting a failure:
$uri = "reference uri"
$header = @{'Content-Type' = 'application/json'}
$json = @"
{ "bulkoperation": {
"operationtype": "kql",
"operationquery": "SecurityIncident | where TimeGenerated >= ago(7d) | where Status == 'New'",
"operationstatus": "Closed"
}
}
"@
Invoke-WebRequest -Uri $uri -Method POST -Body $json -ContentType "application/json"
Oct 17 2023 04:17 AM
Mar 29 2024 09:14 AM - edited Mar 29 2024 10:04 AM
Query to bulk delete incidents and close incident from Azure Cloud Shell console by Title name:
Make sure to have a role Microsoft Sentinel Contributor to run this query in your subscription
First open PowerShell as administrator and install Az PowerShell module:
Install-Module -Name Az -Repository PSGallery
Then Install Az.SecurityInsights module:
Install-Module -Name Az.SecurityInsights
Login to AZ with PowerShell:
Connect-AzAccount
Run this command to close incidents (replace XXXX with needed information):
Query to DELETE incidents by Title:
Get-AzSentinelIncident -ResourceGroupName "XXXX" -workspaceName "XXXX" | Where-Object {$_.Title -eq "YOUR_TITLE_HERE"} | ForEach-Object { Remove-AzSentinelIncident -PassThru -ResourceGroupName "XXXX" -WorkspaceName "XXXX" -id $_.Name}
Query to bulk CLOSE incidents by Title:
Get-AzSentinelIncident -ResourceGroupName "XXXX" -workspaceName "XXXX" | Where-Object {$_.Title -eq "YOUR_TITLE_HERE"} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "XXXX" -WorkspaceName "XXXX" -SubscriptionId "XXXX" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}
These operations can take a long time, so it recommended running them in the background by using "&" at the end of the query and run the query 3-5 times, so the speed to close/delete incidents will be 3-5 times faster.
You can check the progress of each task by Get-Jobs