Get incident information API
Applies to:
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, you can use server closer to your geo location:
- us.api.security.microsoft.com
- eu.api.security.microsoft.com
- uk.api.security.microsoft.com
- au.api.security.microsoft.com
- swa.api.security.microsoft.com
- ina.api.security.microsoft.com
Note
Try our new APIs using MS Graph security API. Find out more at: Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn.
Retrieves a specific incident by its ID
- Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.
One of the following permissions is required to call this API.
Permission type | Permission | Permission display name |
---|---|---|
Application | Incident.Read.All | Read all Incidents |
Application | Incident.ReadWrite.All | Read and write all Incidents |
Delegated (work or school account) | Incident.Read | Read Incidents |
Delegated (work or school account) | Incident.ReadWrite | Read and write Incidents |
Note
When obtaining a token using user credentials:
- The user needs to have at least the following role permission:
View Data
- The response will only include incidents that the user is exposed to
GET .../api/incidents/{id}
Name | Type | Description |
---|---|---|
Authorization | String | Bearer {token}. Required. |
Empty
If successful, this method returns 200 OK
, and the incident entity in the response body.
If incident with the specified ID wasn't found - 404 Not Found.
Here's an example of the request.
GET https://api.security.microsoft.com/api/incidents/{id}
Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.