This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 59%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFL%3C/text%3E%3C/svg%3E)
Hi
To export our Incidents, I'm currently using the Sentinel Rest API, Incidents endpoint. V 2021-10-01.
Instead of doing a full load of all incidents each day, I've implemented a filter in the request $filter= properties/lastModifiedTimeUtc gt 'TodaysDate'.
This gives me all new and changed Incidents. I then merge these with yesterday's load to get the full picture.
But this does not include deleted incidents. Any way to get information about these -without doing a full load of all incidents?
(I will be on holiday until Jan 3.)
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Frederik Larsen Thank you for reaching out to us, let me research on your ask and will revert back.
There is no deleted incidents option. All are records in log analytics which is largely immutable. You can resolve but not delete.
@Frederik Larsen
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Hi Andrew
You can delete incidents in Sentinel ? Please see picture below:
Wow. That slipped past me thanks.
It may be that the API does not return deleted incidents. You could test with a filter on Status = Deleted.
You could also query the SecurityIncidents table directly using arg_max to get the most recent records.
SecurityIncident
| summarize arg_max(TimeGenerated, *) by ProviderIncidentId
https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/get?tabs=HTTP
Thanks for pointing me in this direction.
I also just learned; When deleting an incident you are prompted with the following: "After you delete an incident, the only reference to it will be the audit data in the SecurityIncident table in the Logs screen. (See the table's schema documentation in Log Analytics). The Status field in that table will be updated to "Deleted" for that incident."
So the right way to load Incidents data for my purpose would be to read the SecurityIncident table rather than going via the Sentinel API.
Well hidden, I also now found this documentation which tells more about deletion behavior:
https://learn.microsoft.com/en-us/azure/sentinel/delete-incident