Bulk delete Sentinel Threat Intelligence

Anchal Singh 0 Reputation points
2024-04-04T15:08:19.5+00:00

I used Workspace Purge Rest API to bulk delete Sentinel threat intelligence. I used the api to remove intelligence from 'ThreatIntelligenceIndicator' table on sentinel but this did not end up deleting them from Sentinel threat intelligence (under Threat management). Removing threat intel from the 'ThreatIntelligenceIndicator' table should reflect on Sentinel Threat Intelligence but I don't understand why it is not reflecting.

User's image

How can i resolve this issue?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,134 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,856 Reputation points Microsoft Employee
    2024-04-05T12:20:59.6233333+00:00

    I am not sure of the specific cause, but this is not a common practice, though technically feasible. I suspect this will clear up in 12-24 hours. You may need to open a support case if this runs longer.

    It may help to consider how this feature functions. The TI view only displays the most recent, unique, active records from the table. Each IOC is given and ID. Any updates are represented as a new record. For example, when a record expires, a new record is written with an inactive flag for the IOC. I assume what you see in the portal is not a direct query. Likely a hidden sub-table that is updated periodically. The purge may have caused an unexpected interruption to this process.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.