cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to close sentinel incidents using PS

Pavan_Gelli1910
Brass Contributor

‎Jan 03 2020 02:46 AM - last edited on ‎Jan 04 2022 12:25 PM by

‎Jan 03 2020 02:46 AM - last edited on ‎Jan 04 2022 12:25 PM by

How to close sentinel incidents using PS

Hi Team,

 

Few days back, i have enabled default Analytics rules related to Azure Key Vault(AKV). After that i was hit with many incidents(approx 10K) got triggered related AKV. Now i want bulk close all of them using PS. Because on UI i can only close 100 incidents in one shot. 

 

I also agree that i need to understand and fine tune the AKV detection rules thoroughly to avoid the alert fatigue.

 

Please help.

 

Thanks. 

5,363 Views
0 Likes
5 Replies
Reply
5 Replies
Gary Bushey

‎Jan 03 2020 03:00 AM

‎Jan 03 2020 03:00 AM

Re: How to close sentinel incidents using PS

@Pavan_Gelli1910 There are no supported PowerShell commands for working with Sentinel although the people at Wortell did an amazing job coming up with some PowerShell commands on their own that make use of the unsupported Azure Sentinel REST APIs calls.

 

With that said, depending on your level of PowerShell skill and using those commands as a baseline, you can go to the Azure Sentinel REST specification page at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...    to get information on the APIs that can be used to do what you want.  A couple of things to remember:

1) Azure Sentinel used to be called Azure Security Insights, hence the API name

2) Incidents used to be called Cases so look for that in the API calls.

1 Like
Reply
SocInABox

‎Oct 12 2020 09:24 AM

‎Oct 12 2020 09:24 AM

Re: How to close sentinel incidents using PS

@Pavan_Gelli1910 

Better late than never on this question...

There is now a really nice suite of powershell commands for Azure Sentinel.

Check this out:

https://www.pkm-technology.com/page/2/

https://www.powershellgallery.com/packages/AzSentinel/0.6.2

 

And to answer your question you could do a simple loop like this:
888..934| % {Update-AzSentinelIncident -WorkspaceName "<workspace name>" -CaseNumber $_ -Status Closed}

In the above example I'm closing incidents with case numbers 888 to 934.

 

0 Likes
Reply
DTracey

‎Sep 22 2021 08:33 PM

‎Sep 22 2021 08:33 PM

Re: How to close sentinel incidents using PS

@Pavan_Gelli1910 

 

get-AzSentinelIncident -WorkspaceName <"Workspace Name"> | ForEach-Object {update-AzSentinelIncident -WorkspaceName <"Workspace Name"> l -CaseNumber $_.CaseNumber -Status Closed -CloseReason FalsePositive -Confirm:$false}

0 Likes
Reply
akhalili

‎Mar 02 2022 08:38 AM

‎Mar 02 2022 08:38 AM

Re: How to close sentinel incidents using PS

Is there a way to do this with the new PS module? To close multiple incidents using the BenignPositive classification by Incident ID instead of the ARM ID?
0 Likes
Reply
vezgeta

‎Oct 17 2023 06:55 AM

‎Oct 17 2023 06:55 AM

Re: How to close sentinel incidents using PS

@Pavan_Gelli1910 

 

Hi, have a script that I have tested on 14K of incidents.

 

First open PowerShell as administrator and install Az PowerShell module:
Install-Module -Name Az -Repository PSGallery
Then Install Az.SecurityInsights module:
Install-Module -Name Az.SecurityInsights
Login to AZ with PowerShell:
Connect-AzAccount
Run this command to close incidents (replace xxxx with the needed information and YYY with the part of the name of similar incidents that you want to close):
Get-AzSentinelIncident -ResourceGroupName "xxxx" -WorkspaceName "xxxx" | Where-Object {$_.Status -eq "New"} | Where-Object {$_.title -like '*YYY*'} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "xxxx" -WorkspaceName "xxxx" -SubscriptionId "xxxx" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}

0 Likes
Reply