Microsoft.SecurityInsights incidents 2021-03-01-preview
- Latest
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-11-01
- 2022-11-01-preview
- 2022-10-01-preview
- 2022-09-01-preview
- 2022-08-01
- 2022-08-01-preview
- 2022-07-01-preview
- 2022-06-01-preview
- 2022-05-01-preview
- 2022-04-01-preview
- 2022-01-01-preview
- 2021-10-01
- 2021-10-01-preview
- 2021-09-01-preview
- 2021-04-01
- 2021-03-01-preview
- 2020-01-01
- 2019-01-01-preview
Bicep resource definition
The incidents resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep.
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/incidents resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/incidents@2021-03-01-preview' = {
name: 'string'
scope: resourceSymbolicName
etag: 'string'
properties: {
classification: 'string'
classificationComment: 'string'
classificationReason: 'string'
description: 'string'
firstActivityTimeUtc: 'string'
labels: [
{
labelName: 'string'
}
]
lastActivityTimeUtc: 'string'
owner: {
assignedTo: 'string'
email: 'string'
objectId: 'string'
userPrincipalName: 'string'
}
providerIncidentId: 'string'
providerName: 'string'
severity: 'string'
status: 'string'
teamInformation: {}
title: 'string'
}
}
Property values
incidents
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For Bicep, set this property to the symbolic name of the resource to apply the extension resource. |
| etag | Etag of the azure resource | string |
| properties | Incident properties | IncidentProperties |
IncidentProperties
| Name | Description | Value |
|---|---|---|
| classification | The reason the incident was closed | 'BenignPositive' 'FalsePositive' 'TruePositive' 'Undetermined' |
| classificationComment | Describes the reason the incident was closed | string |
| classificationReason | The classification reason the incident was closed with | 'InaccurateData' 'IncorrectAlertLogic' 'SuspiciousActivity' 'SuspiciousButExpected' |
| description | The description of the incident | string |
| firstActivityTimeUtc | The time of the first activity in the incident | string |
| labels | List of labels relevant to this incident | IncidentLabel[] |
| lastActivityTimeUtc | The time of the last activity in the incident | string |
| owner | Describes a user that the incident is assigned to | IncidentOwnerInfo |
| providerIncidentId | The incident ID assigned by the incident provider | string |
| providerName | The name of the source provider that generated the incident | string |
| severity | The severity of the incident | 'High' 'Informational' 'Low' 'Medium' (required) |
| status | The status of the incident | 'Active' 'Closed' 'New' (required) |
| teamInformation | Describes a team for the incident | TeamInformation |
| title | The title of the incident | string (required) |
IncidentLabel
| Name | Description | Value |
|---|---|---|
| labelName | The name of the label | string (required) |
IncidentOwnerInfo
| Name | Description | Value |
|---|---|---|
| assignedTo | The name of the user the incident is assigned to. | string |
| The email of the user the incident is assigned to. | string | |
| objectId | The object id of the user the incident is assigned to. | string |
| userPrincipalName | The user principal name of the user the incident is assigned to. | string |
TeamInformation
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
ARM template resource definition
The incidents resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates.
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/incidents resource, add the following JSON to your template.
{
"type": "Microsoft.SecurityInsights/incidents",
"apiVersion": "2021-03-01-preview",
"name": "string",
"scope": "string",
"etag": "string",
"properties": {
"classification": "string",
"classificationComment": "string",
"classificationReason": "string",
"description": "string",
"firstActivityTimeUtc": "string",
"labels": [
{
"labelName": "string"
}
],
"lastActivityTimeUtc": "string",
"owner": {
"assignedTo": "string",
"email": "string",
"objectId": "string",
"userPrincipalName": "string"
},
"providerIncidentId": "string",
"providerName": "string",
"severity": "string",
"status": "string",
"teamInformation": {},
"title": "string"
}
}
Property values
incidents
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.SecurityInsights/incidents' |
| apiVersion | The resource api version | '2021-03-01-preview' |
| name | The resource name | string (required) |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For JSON, set the value to the full name of the resource to apply the extension resource to. |
| etag | Etag of the azure resource | string |
| properties | Incident properties | IncidentProperties |
IncidentProperties
| Name | Description | Value |
|---|---|---|
| classification | The reason the incident was closed | 'BenignPositive' 'FalsePositive' 'TruePositive' 'Undetermined' |
| classificationComment | Describes the reason the incident was closed | string |
| classificationReason | The classification reason the incident was closed with | 'InaccurateData' 'IncorrectAlertLogic' 'SuspiciousActivity' 'SuspiciousButExpected' |
| description | The description of the incident | string |
| firstActivityTimeUtc | The time of the first activity in the incident | string |
| labels | List of labels relevant to this incident | IncidentLabel[] |
| lastActivityTimeUtc | The time of the last activity in the incident | string |
| owner | Describes a user that the incident is assigned to | IncidentOwnerInfo |
| providerIncidentId | The incident ID assigned by the incident provider | string |
| providerName | The name of the source provider that generated the incident | string |
| severity | The severity of the incident | 'High' 'Informational' 'Low' 'Medium' (required) |
| status | The status of the incident | 'Active' 'Closed' 'New' (required) |
| teamInformation | Describes a team for the incident | TeamInformation |
| title | The title of the incident | string (required) |
IncidentLabel
| Name | Description | Value |
|---|---|---|
| labelName | The name of the label | string (required) |
IncidentOwnerInfo
| Name | Description | Value |
|---|---|---|
| assignedTo | The name of the user the incident is assigned to. | string |
| The email of the user the incident is assigned to. | string | |
| objectId | The object id of the user the incident is assigned to. | string |
| userPrincipalName | The user principal name of the user the incident is assigned to. | string |
TeamInformation
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Terraform (AzAPI provider) resource definition
The incidents resource type is an extension resource, which means you can apply it to another resource.
Use the parent_id property on this resource to set the scope for this resource.
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/incidents resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.SecurityInsights/incidents@2021-03-01-preview"
name = "string"
parent_id = "string"
body = jsonencode({
properties = {
classification = "string"
classificationComment = "string"
classificationReason = "string"
description = "string"
firstActivityTimeUtc = "string"
labels = [
{
labelName = "string"
}
]
lastActivityTimeUtc = "string"
owner = {
assignedTo = "string"
email = "string"
objectId = "string"
userPrincipalName = "string"
}
providerIncidentId = "string"
providerName = "string"
severity = "string"
status = "string"
teamInformation = {}
title = "string"
}
etag = "string"
})
}
Property values
incidents
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.SecurityInsights/incidents@2021-03-01-preview" |
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| etag | Etag of the azure resource | string |
| properties | Incident properties | IncidentProperties |
IncidentProperties
| Name | Description | Value |
|---|---|---|
| classification | The reason the incident was closed | "BenignPositive" "FalsePositive" "TruePositive" "Undetermined" |
| classificationComment | Describes the reason the incident was closed | string |
| classificationReason | The classification reason the incident was closed with | "InaccurateData" "IncorrectAlertLogic" "SuspiciousActivity" "SuspiciousButExpected" |
| description | The description of the incident | string |
| firstActivityTimeUtc | The time of the first activity in the incident | string |
| labels | List of labels relevant to this incident | IncidentLabel[] |
| lastActivityTimeUtc | The time of the last activity in the incident | string |
| owner | Describes a user that the incident is assigned to | IncidentOwnerInfo |
| providerIncidentId | The incident ID assigned by the incident provider | string |
| providerName | The name of the source provider that generated the incident | string |
| severity | The severity of the incident | "High" "Informational" "Low" "Medium" (required) |
| status | The status of the incident | "Active" "Closed" "New" (required) |
| teamInformation | Describes a team for the incident | TeamInformation |
| title | The title of the incident | string (required) |
IncidentLabel
| Name | Description | Value |
|---|---|---|
| labelName | The name of the label | string (required) |
IncidentOwnerInfo
| Name | Description | Value |
|---|---|---|
| assignedTo | The name of the user the incident is assigned to. | string |
| The email of the user the incident is assigned to. | string | |
| objectId | The object id of the user the incident is assigned to. | string |
| userPrincipalName | The user principal name of the user the incident is assigned to. | string |
TeamInformation
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for