Azure Sentinel how to clear ThreatIntelligenceIndicator table

Pawel Boruc 21 Reputation points
2021-02-19T08:47:29.207+00:00

Hi,
I'm struggling with removing all data from ThreatIntelligenceIndicator table. I have little mess inside and would like to import data once again from beginning.
Thanks,
Pawel

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,028 questions
0 comments No comments
{count} votes

Accepted answer
  1. VipulSparsh-MSFT 16,251 Reputation points Microsoft Employee
    2021-02-19T13:42:57.423+00:00

    @Pawel Boruc You can delete the Threat Intelligence Indicator connector from here and then re-add it to start from scratch.

    70094-image.png


3 additional answers

Sort by: Most helpful
  1. Pawel Boruc 21 Reputation points
    2021-02-24T06:51:56.46+00:00

    For me it's walkaround solution. In other SIEM systems we are able to purge all TI data and retrieve them once again.
    Maybe this should be on the list to-do?


  2. JoeG 1 Reputation point
    2022-02-22T19:39:54.927+00:00

    Is there a way to do a bulk delete of all indicators? I have the DShieldScanningIPs source with over 60k IPs and I'd like to delete them all but it appears I can only delete 100 of them at a time. This will take a while.

    JoeG


  3. Toman, Miroslav 1 Reputation point
    2023-02-17T06:54:59.5966667+00:00

    ok, it is some time but i am still unable to find a suitable solution to remove 50k+ IoCs from Sentinel with one query / command / rest api, is there a way now ? I am using graph api for removing and i receive strange error that the indicator does not exist, even tho KQL does show its ID, it is very frustrating that there is no documentation how to purge the DB

    0 comments No comments