Azure Sentinel how to clear ThreatIntelligenceIndicator table

Pawel Boruc 21 Reputation points

I'm struggling with removing all data from ThreatIntelligenceIndicator table. I have little mess inside and would like to import data once again from beginning.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,028 questions
0 comments No comments
{count} votes

Accepted answer
  1. VipulSparsh-MSFT 16,251 Reputation points Microsoft Employee

    @Pawel Boruc You can delete the Threat Intelligence Indicator connector from here and then re-add it to start from scratch.


3 additional answers

Sort by: Most helpful
  1. Pawel Boruc 21 Reputation points

    For me it's walkaround solution. In other SIEM systems we are able to purge all TI data and retrieve them once again.
    Maybe this should be on the list to-do?

  2. JoeG 1 Reputation point

    Is there a way to do a bulk delete of all indicators? I have the DShieldScanningIPs source with over 60k IPs and I'd like to delete them all but it appears I can only delete 100 of them at a time. This will take a while.


  3. Toman, Miroslav 1 Reputation point

    ok, it is some time but i am still unable to find a suitable solution to remove 50k+ IoCs from Sentinel with one query / command / rest api, is there a way now ? I am using graph api for removing and i receive strange error that the indicator does not exist, even tho KQL does show its ID, it is very frustrating that there is no documentation how to purge the DB

    0 comments No comments