Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to close sentinel bulk incidents

Copper Contributor

I would like to know how we can close multiple incidents in bulk using KQL query or any other tested option. Appreciate quick response. 

7 Replies
The "Actions" button in the Incidents page in the portal will allow you to do this.
not able to access the above link
Updated the link.
not able to access the link..if you paste the query here..it will be useful

@Rod_Trent 

 

I tried to use reference playbook however, I keep getting a failure:

KentuckyMike2085_0-1678896523822.png

 

$uri = "reference uri"

$header = @{'Content-Type' = 'application/json'}

$json = @"
{ "bulkoperation": {
"operationtype": "kql",
"operationquery": "SecurityIncident | where TimeGenerated >= ago(7d) | where Status == 'New'",
"operationstatus": "Closed"
}
}
"@


Invoke-WebRequest -Uri $uri -Method POST -Body $json -ContentType "application/json"

First open PowerShell as administrator and install Az PowerShell module:
Install-Module -Name Az -Repository PSGallery
Then Install Az.SecurityInsights module:
Install-Module -Name Az.SecurityInsights
Login to AZ with PowerShell:
Connect-AzAccount
Run this command to close incidents (replace XXXX with needed information):
Get-AzSentinelIncident -ResourceGroupName "xxxx" -WorkspaceName "xxxx" | Where-Object {$_.Status -eq "New"} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "xxxx" -WorkspaceName "xxxx" -SubscriptionId "xxxx" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}