Update incident

Namespace: microsoft.graph.security

Update the properties of an incident object.

This API is supported in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) SecurityIncident.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application SecurityIncident.ReadWrite.All

HTTP request

PATCH /security/incidents/{incidentId}

Request headers

Name Description
Authorization Bearer {token}. Required.
Content-Type application/json. Required.

Request body

In the request body, supply only the values for properties that should be updated. Existing properties that aren't included in the request body maintains their previous values or be recalculated based on changes to other property values.

The following table specifies the properties that can be updated.

Property Type Description
assignedTo String Owner of the incident, or null if no owner is assigned. Free editable text.
classification microsoft.graph.security.alertClassification The specification for the incident. Possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue.
determination microsoft.graph.security.alertDetermination Specifies the determination of the incident. Possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, notMalicious, notEnoughDataToValidate, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue.
status microsoft.graph.security.incidentStatus The status of the incident. Possible values are: active, resolved, redirected, unknownFutureValue.
customTags String collection Array of custom tags associated with an incident.


If successful, this method returns a 200 OK response code and an updated incident object in the response body.



The following is an example of a request.

PATCH https://graph.microsoft.com/v1.0/security/incidents/2972395
Content-Type: application/json

    "classification": "TruePositive",
    "determination": "MultiStagedAttack",
    "customTags": [


The following is an example of the response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

    "@odata.type": "#microsoft.graph.incident",
    "id": "2972395",
    "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
    "redirectIncidentId": null,
    "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
    "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
    "createdDateTime": "2021-08-13T08:43:35.5533333Z",
    "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
    "assignedTo": "KaiC@contoso.onmicrosoft.com",
    "classification": "TruePositive",
    "determination": "MultiStagedAttack",
    "status": "Active",
    "severity": "Medium",
    "customTags": [
    "comments": [
		"comment": "Demo incident",
		"createdBy": "DavidS@contoso.onmicrosoft.com",
		"createdTime": "2021-09-30T12:07:37.2756993Z"