Επεξεργασία

Κοινή χρήση μέσω


Delete incidents in Microsoft Sentinel in the Azure portal

Important

Incident deletion using the portal is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Incident deletion is generally available through the API.

The ability to create incidents from scratch in Microsoft Sentinel in the Azure portal opens the possibility that you'll create an incident that you later decide you shouldn't have. For example, you may have created an incident based on an employee report, before having received any evidence (such as alerts), and soon afterward you receive alerts that automatically generate the incident in question. But now, you have a duplicate incident with no data in it. In this scenario, you can delete your duplicate incident right from the incident queue in the Azure portal.

Deleting an incident is not a substitute for closing an incident! Deleting an incident should only be done when at least one of the following conditions is met:

  • The incident was created manually by mistake.
  • The incident exactly duplicates another incident.
  • Faulty incidents were generated in bulk by a broken analytics rule.
  • The incident contains no data - alerts, entities, bookmarks, and so on.

In all other cases, when an incident is no longer needed, it should be closed, not deleted. Closing an incident requires you to specify the reason for closing it, and allows you to add additional comments for context and clarification. Closing old incidents in this way preserves the transparency and integrity of your SOC, and also allows for the possibility of reopening the incident if the problem resurfaces.

Delete an incident using the Azure portal

To delete a single incident:

  1. From the Microsoft Sentinel navigation menu, select Incidents.

  2. On the Incidents page, select the incident you want to delete.

  3. Select View full details in the details pane to enter the incident's full details view.

  4. Select Delete incident from the button bar at the top. Screenshot of deleting incident from details screen.

  5. Answer Yes to the confirmation prompt that appears. Screenshot of single incident deletion confirmation dialog.

Alternatively, you can follow the instructions for deleting multiple incidents (immediately below), and mark a single incident's checkbox.

To delete multiple incidents:

  1. From the Microsoft Sentinel navigation menu, select Incidents.

  2. On the Incidents page, select the incident or incidents you want to delete, by marking the checkboxes next to each one in the incidents grid.

  3. Select Delete from the button bar. Screenshot of deleting multiple incidents from incident queue.

  4. Answer Yes to the confirmation prompt that appears. Screenshot of multiple-incident-deletion confirmation dialog.

Delete an incident using the Microsoft Sentinel API

The Incidents operation group allows you to delete incidents as well as to create and update (edit), get (retrieve), and list them.

You delete an incident using the following endpoint. After this request is made, the incident will be visible in the incident queue in the portal.

DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}?api-version=2022-07-01-preview

Notes

  • To delete an incident, you must have the Microsoft Sentinel Contributor role.

  • Deleting an incident is not reversible! After you delete an incident, the only reference to it will be the audit data in the SecurityIncident table in the Logs screen. (See the table's schema documentation in Log Analytics). The Status field in that table will be updated to "Deleted" for that incident.

    Note

    Due to the 64 KB limit of the record size in the SecurityIncident table, incident comments may be truncated (beginning from the earliest) if the limit is exceeded.

  • You can't delete incidents from within Microsoft Sentinel that were imported from and synchronized with Microsoft Defender XDR.

  • If an alert related to a deleted incident gets updated, or if a new alert is grouped under a deleted incident, a new incident will be created to replace the deleted one.

Next steps

For more information, see: