incident resource type
Namespace: microsoft.graph.security
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
An incident in Microsoft 365 Defender is a collection of correlated alert instances and associated metadata that reflects the story of an attack in a tenant.
Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant. Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.
Methods
| Method | Return type | Description |
|---|---|---|
| List incidents | microsoft.graph.security.incident collection | Get a list of incident objects that Microsoft 365 Defender created to track attacks in an organization. |
| Get incident | microsoft.graph.security.incident | Read the properties and relationships of an incident object. |
| Update incident | microsoft.graph.security.incident | Update the properties of an incident object. |
| Create comment for incident | alertComment | Create a comment for an existing incident based on the specified incident id property. |
Properties
| Property | Type | Description |
|---|---|---|
| assignedTo | String | Owner of the incident, or null if no owner is assigned. Free editable text. |
| classification | microsoft.graph.security.alertClassification | The specification for the incident. Possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue. |
| comments | microsoft.graph.security.alertComment collection | Array of comments created by the Security Operations (SecOps) team when the incident is managed. |
| createdDateTime | DateTimeOffset | Time when the incident was first created. |
| customTags | String collection | The collection of custom tags that are associated with an incident. |
| description | String | Description of the incident. |
| description | String | A rich text String that describes the incident |
| determination | microsoft.graph.security.alertDetermination | Specifies the determination of the incident. Possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue. |
| displayName | String | The incident name. |
| id | String | Unique identifier to represent the incident. |
| incidentWebUrl | String | The URL for the incident page in the Microsoft 365 Defender portal. |
| lastModifiedBy | String | The identity that last modified the incident. |
| lastUpdateDateTime | DateTimeOffset | Time when the incident was last updated. |
| recommendedActions | String | A rich text string that represents the actions that are reccomnded to take in order to resolve the incident. |
| recommendedHuntingQueries | Collection(microsoft.graph.security.recommendedHuntingQuery) | List of hunting Kusto Query Language (KQL) queries related to the incident. |
| redirectIncidentId | String | Only populated in case an incident is grouped together with another incident, as part of the logic that processes incidents. In such a case, the status property is redirected. |
| resolvingComment | String | User input that explains the resolution of the incident and the classification choice. This property contains free editable text. |
| severity | alertSeverity | Indicates the possible impact on assets. The higher the severity, the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: unknown, informational, low, medium, high, unknownFutureValue. |
| status | microsoft.graph.security.incidentStatus | The status of the incident. Possible values are: active, resolved, inProgress, redirected, unknownFutureValue, and awaitingAction. |
| summary | String | The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack. |
| systemTags | String collection | The collection of system tags that are associated with the incident. |
| tenantId | String | The Microsoft Entra tenant in which the alert was created. |
incidentStatus values
The following table lists the members of an evolvable enumeration. You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: awaitingAction.
| Member | Description |
|---|---|
| active | The incident is in active state. |
| resolved | The incident is in resolved state. |
| inProgress | The incident is in mitigation progress. |
| redirected | The incident was merged with another incident. The target incident ID appears in the redirectIncidentId property. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
| awaitingAction | This incident requires actions from Defender Experts awaiting your action. Only Microsoft 365 Defender experts can set this status. |
Relationships
| Relationship | Type | Description |
|---|---|---|
| alerts | microsoft.graph.security.alert collection | The list of related alerts. Supports $expand. |
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.incident",
"assignedTo": "String",
"classification": "String",
"comments": [{"@odata.type": "microsoft.graph.security.alertComment"}],
"createdDateTime": "String (timestamp)",
"customTags": ["String"],
"description" : "String",
"determination": "String",
"displayName": "String",
"id": "String (identifier)",
"incidentWebUrl": "String",
"lastModifiedBy": "String",
"lastUpdateDateTime": "String (timestamp)",
"recommendedActions" : "String",
"recommendedHuntingQueries" : [{"@odata.type": "microsoft.graph.security.recommendedHuntingQuery"}],
"redirectIncidentId": "String",
"resolvingComment": "String",
"severity": "String",
"status": "String",
"summary": "String",
"systemTags" : ["String"],
"tenantId": "String"
}