incident resource type


An incident in Microsoft 365 Defender is a collection of correlated alert instances and associated metadata that reflects the story of an attack in a tenant.

Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant. Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.


Method Return type Description
List incidents collection Get a list of incident objects that Microsoft 365 Defender has created to track attacks in an organization.
Get incident Read the properties and relationships of an incident object.
Update incident Update the properties of an incident object.
Create comment for incident alertComment Create a comment for an existing incident based on the specified incident id property.


Property Type Description
assignedTo String Owner of the incident, or null if no owner is assigned. Free editable text.
classification The specification for the incident. Possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue.
comments collection Array of comments created by the Security Operations (SecOps) team when the incident is managed.
createdDateTime DateTimeOffset Time when the incident was first created.
customTags String collection Array of custom tags associated with an incident.
determination Specifies the determination of the incident. Possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue.
displayName String The incident name.
id String Unique identifier to represent the incident.
incidentWebUrl String The URL for the incident page in the Microsoft 365 Defender portal.
lastUpdateDateTime DateTimeOffset Time when the incident was last updated.
redirectIncidentId String Only populated in case an incident is grouped together with another incident, as part of the logic that processes incidents. In such a case, the status property is redirected.
severity alertSeverity Indicates the possible impact on assets. The higher the severity, the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: unknown, informational, low, medium, high, unknownFutureValue.
status The status of the incident. Possible values are: active, resolved, inProgress, redirected, unknownFutureValue, and awaitingAction.
tenantId String The Azure Active Directory tenant in which the alert was created.

incidentStatus values

The following table lists the members of an evolvable enumeration. You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: awaitingAction.

Member Description
active The incident is in active state.
resolved The incident is in resolved state.
inProgress The incident is in mitigation progress.
redirected The incident was merged with another incident. The target incident ID appears in the redirectIncidentId property.
unknownFutureValue Evolvable enumeration sentinel value. Do not use.
awaitingAction This incident has required actions from Defender Experts awaiting your action. This status can only be set by Microsoft 365 Defender experts.


Relationship Type Description
alerts collection The list of related alerts. Supports $expand.

JSON representation

The following is a JSON representation of the resource.

  "@odata.type": "",
  "id": "String (identifier)",
  "incidentWebUrl": "String",
  "tenantId": "String",
  "redirectIncidentId": "String",
  "displayName": "String",
  "createdDateTime": "String (timestamp)",
  "lastUpdateDateTime": "String (timestamp)",
  "assignedTo": "String",
  "classification": "String",
  "determination": "String",
  "status": "String",
  "severity": "String",
  "customTags": [
  "comments": [
      "@odata.type": ""