Is it possible to remove an Azure Sentinel incident? The answer is Yes. However, this is not going to be a recommendation for security operation.
Let’s see how to make that happen.
[Updated] This works with incidents that are generated from ASC. Incidents generated from scheduled analytic rule are not effective. I’d like to give a credit to Nathan Swift for his time testing.
TL;DR: You can skip this article and use the script from here to delete an incident in Azure Sentinel https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Delete-AzureSentinelIncident.ps1
Again, deleting a security incident is never a recommendation even in a test environment. If you think an incident is a false positive case just close it. Azure Sentinel allows you to close an incident and mark it whether True Positive or False Positive.
What would be a use case for incident removal? I couldn’t think of any case. Perhaps that would fit for adversary who would like to delete an incident after being detected?
Azure Sentinel API – Incident Removal
To delete a specific incident you only need to supply to Azure Sentinel API incident ID, as well as Log Analytics workspace information (Name and Resource Group) or simply a WorkspaceId
The URI is as follows:
|
1 |
https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases/" + $IncidentId + "/?api-version=2019-01-01-preview" |
- WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
- IncidentId is a unique ID that you can get from running this script
The accepted method to delete an incident is DELETE.
If you want to catch response status code use Invoke-WebRequest instead of Invoke-RestMethod .
Non-Windows Laziness
For ‘lazy’ people who may work on Linux and love Azure CLI, below is the dirty code spinet to remove an Azure Sentinel incident
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
ACCESS_TOKEN=$(az account get-access-token --query 'accessToken' -o tsv) AUTH_HEADER="Authorization: Bearer $ACCESS_TOKEN" RM_ENDPOINT='https://management.azure.com' CONTENT_TYPE="Content-Type: application/json" SUBSCRIPTION_ID="XXXXXXXXXX" RG_NAME="XXXXXXX" WORKSPACE_NAME="XXXXXXXXXX" INCIDENT_ID="XXXXXXXX" WORKSPACE_ID=$(az monitor log-analytics workspace show --resource-group $RG_NAME \ --workspace-name $WORKSPACE_NAME \ --query 'id' \ -o tsv) echo $WORKSPACE_ID URI="$RM_ENDPOINT/$WORKSPACE_ID/providers/Microsoft.SecurityInsights/cases/$INCIDENT_ID?api-version=2019-01-01-preview" echo $URI curl -X DELETE -H "$AUTH_HEADER" -H "$CONTENT_TYPE" $URI |
You need latest Azure CLI to use az monitor log-analytics workspace
Azure Activity Log
You can check Azure activity log. Or use query like below if you have log fed to your workspace
|
1 2 |
AzureActivity | where OperationNameValue =~ "Microsoft.SecurityInsights/cases/delete" |
As of this article the API is still there. However it may get removed in the future.
Pingback: Create a fully customized Azure Sentinel incident - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness
Pingback: Extract all Azure Sentinel incidents - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness
Pingback: Update Azure Sentinel incident programatically