Delete an Azure Sentinel incident (from ASC)

Is it possible to remove an Azure Sentinel incident? The answer is Yes. However, this is not going to be a recommendation for security operation.

Let’s see how to make that happen.

[Updated] This works with incidents that are generated from ASC. Incidents generated from scheduled analytic rule are not effective. I’d like to give a credit to Nathan Swift for his time testing.

TL;DR: You can skip this article and use the script from here to delete an incident in Azure Sentinel https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Delete-AzureSentinelIncident.ps1

Again, deleting a security incident is never a recommendation even in a test environment. If you think an incident is a false positive case just close it. Azure Sentinel allows you to close an incident and mark it whether True Positive or False Positive.

What would be a use case for incident removal? I couldn’t think of any case. Perhaps that would fit for adversary who would like to delete an incident after being detected?

Azure Sentinel API – Incident Removal

To delete a specific incident you only need to supply to Azure Sentinel API incident ID, as well as Log Analytics workspace information (Name and Resource Group) or simply a WorkspaceId

The URI is as follows:

https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases/" + $IncidentId + "/?api-version=2019-01-01-preview"
  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
  • IncidentId is a unique ID that you can get from running this script

The accepted method to delete an incident is DELETE.

If you want to catch response status code use Invoke-WebRequest  instead of Invoke-RestMethod .

Non-Windows Laziness

For ‘lazy’ people who may work on Linux and love Azure CLI, below is the dirty code spinet to remove an Azure Sentinel incident

ACCESS_TOKEN=$(az account get-access-token --query 'accessToken' -o tsv)
AUTH_HEADER="Authorization: Bearer $ACCESS_TOKEN"
RM_ENDPOINT='https://management.azure.com'
CONTENT_TYPE="Content-Type: application/json"

SUBSCRIPTION_ID="XXXXXXXXXX"
RG_NAME="XXXXXXX"
WORKSPACE_NAME="XXXXXXXXXX"
INCIDENT_ID="XXXXXXXX"
WORKSPACE_ID=$(az monitor log-analytics workspace show --resource-group $RG_NAME \
                                                       --workspace-name $WORKSPACE_NAME \
                                                       --query 'id' \
                                                       -o tsv)
                           
echo $WORKSPACE_ID

URI="$RM_ENDPOINT/$WORKSPACE_ID/providers/Microsoft.SecurityInsights/cases/$INCIDENT_ID?api-version=2019-01-01-preview"
echo $URI

curl -X DELETE -H "$AUTH_HEADER" -H "$CONTENT_TYPE" $URI

You need latest Azure CLI to use az monitor log-analytics workspace

Azure Activity Log

You can check Azure activity log. Or use query like below if you have log fed to your workspace

AzureActivity
| where OperationNameValue =~ "Microsoft.SecurityInsights/cases/delete"

As of this article the API is still there. However it may get removed in the future.

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

3 Responses to Delete an Azure Sentinel incident (from ASC)

  1. Pingback: Create a fully customized Azure Sentinel incident - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness

  2. Pingback: Extract all Azure Sentinel incidents - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness

  3. Pingback: Update Azure Sentinel incident programatically

Leave a Reply