Delete an Azure Sentinel incident (from ASC)

Is it possible to remove an Azure Sentinel incident? The answer is Yes. However, this is not going to be a recommendation for security operation.

Let’s see how to make that happen.

[Updated] This works with incidents that are generated from ASC. Incidents generated from scheduled analytic rule are not effective. I’d like to give a credit to Nathan Swift for his time testing.

TL;DR: You can skip this article and use the script from here to delete an incident in Azure Sentinel https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Delete-AzureSentinelIncident.ps1

Again, deleting a security incident is never a recommendation even in a test environment. If you think an incident is a false positive case just close it. Azure Sentinel allows you to close an incident and mark it whether True Positive or False Positive.

What would be a use case for incident removal? I couldn’t think of any case. Perhaps that would fit for adversary who would like to delete an incident after being detected?

Azure Sentinel API – Incident Removal

To delete a specific incident you only need to supply to Azure Sentinel API incident ID, as well as Log Analytics workspace information (Name and Resource Group) or simply a WorkspaceId

The URI is as follows:

  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
  • IncidentId is a unique ID that you can get from running this script

The accepted method to delete an incident is DELETE.

If you want to catch response status code use Invoke-WebRequest  instead of Invoke-RestMethod .

Non-Windows Laziness

For ‘lazy’ people who may work on Linux and love Azure CLI, below is the dirty code spinet to remove an Azure Sentinel incident

You need latest Azure CLI to use az monitor log-analytics workspace

Azure Activity Log

You can check Azure activity log. Or use query like below if you have log fed to your workspace

As of this article the API is still there. However it may get removed in the future.

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

3 Responses to Delete an Azure Sentinel incident (from ASC)

  1. Pingback: Create a fully customized Azure Sentinel incident - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness

  2. Pingback: Extract all Azure Sentinel incidents - Microsoft Azure Security RandomnessMicrosoft Azure Security Randomness

  3. Pingback: Update Azure Sentinel incident programatically

Leave a Reply