May 31 2022 01:06 PM
I would like to know how we can close multiple incidents in bulk using KQL query or any other tested option. Appreciate quick response.
May 31 2022 02:29 PM - edited Jan 24 2023 07:24 AM
See if the following helps: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Update-BulkIncidents
Jun 01 2022 03:57 AM
Feb 09 2023 02:26 AM
Mar 15 2023 09:10 AM
I tried to use reference playbook however, I keep getting a failure:
$uri = "reference uri"
$header = @{'Content-Type' = 'application/json'}
$json = @"
{ "bulkoperation": {
"operationtype": "kql",
"operationquery": "SecurityIncident | where TimeGenerated >= ago(7d) | where Status == 'New'",
"operationstatus": "Closed"
}
}
"@
Invoke-WebRequest -Uri $uri -Method POST -Body $json -ContentType "application/json"
Oct 17 2023 04:17 AM