Jan 03 2020
02:46 AM
- last edited on
Jan 04 2022
12:25 PM
by
TechCommunityAP
Jan 03 2020
02:46 AM
- last edited on
Jan 04 2022
12:25 PM
by
TechCommunityAP
Hi Team,
Few days back, i have enabled default Analytics rules related to Azure Key Vault(AKV). After that i was hit with many incidents(approx 10K) got triggered related AKV. Now i want bulk close all of them using PS. Because on UI i can only close 100 incidents in one shot.
I also agree that i need to understand and fine tune the AKV detection rules thoroughly to avoid the alert fatigue.
Please help.
Thanks.
Jan 03 2020 03:00 AM
@Pavan_Gelli1910 There are no supported PowerShell commands for working with Sentinel although the people at Wortell did an amazing job coming up with some PowerShell commands on their own that make use of the unsupported Azure Sentinel REST APIs calls.
With that said, depending on your level of PowerShell skill and using those commands as a baseline, you can go to the Azure Sentinel REST specification page at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma... to get information on the APIs that can be used to do what you want. A couple of things to remember:
1) Azure Sentinel used to be called Azure Security Insights, hence the API name
2) Incidents used to be called Cases so look for that in the API calls.
Oct 12 2020 09:24 AM
Better late than never on this question...
There is now a really nice suite of powershell commands for Azure Sentinel.
Check this out:
https://www.pkm-technology.com/page/2/
https://www.powershellgallery.com/packages/AzSentinel/0.6.2
And to answer your question you could do a simple loop like this:
888..934| % {Update-AzSentinelIncident -WorkspaceName "<workspace name>" -CaseNumber $_ -Status Closed}
In the above example I'm closing incidents with case numbers 888 to 934.
Sep 22 2021 08:33 PM
get-AzSentinelIncident -WorkspaceName <"Workspace Name"> | ForEach-Object {update-AzSentinelIncident -WorkspaceName <"Workspace Name"> l -CaseNumber $_.CaseNumber -Status Closed -CloseReason FalsePositive -Confirm:$false}
Mar 02 2022 08:38 AM
Oct 17 2023 06:55 AM
Hi, have a script that I have tested on 14K of incidents.
First open PowerShell as administrator and install Az PowerShell module:
Install-Module -Name Az -Repository PSGallery
Then Install Az.SecurityInsights module:
Install-Module -Name Az.SecurityInsights
Login to AZ with PowerShell:
Connect-AzAccount
Run this command to close incidents (replace xxxx with the needed information and YYY with the part of the name of similar incidents that you want to close):
Get-AzSentinelIncident -ResourceGroupName "xxxx" -WorkspaceName "xxxx" | Where-Object {$_.Status -eq "New"} | Where-Object {$_.title -like '*YYY*'} | ForEach-Object {Update-AzSentinelIncident -Id $_.Name -ResourceGroupName "xxxx" -WorkspaceName "xxxx" -SubscriptionId "xxxx" -Status Closed -Confirm:$false -Severity Medium -Classification Undetermined -Title $_.title}