incident resource type

Namespace: microsoft.graph.security

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

An incident in Microsoft 365 Defender is a collection of correlated alert instances and associated metadata that reflects the story of an attack in a tenant.

Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant. Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

Methods

Method Return type Description
List incidents microsoft.graph.security.incident collection Get a list of incident objects that Microsoft 365 Defender created to track attacks in an organization.
Get incident microsoft.graph.security.incident Read the properties and relationships of an incident object.
Update incident microsoft.graph.security.incident Update the properties of an incident object.
Create comment for incident alertComment Create a comment for an existing incident based on the specified incident id property.

Properties

Property Type Description
assignedTo String Owner of the incident, or null if no owner is assigned. Free editable text.
classification microsoft.graph.security.alertClassification The specification for the incident. Possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue.
comments microsoft.graph.security.alertComment collection Array of comments created by the Security Operations (SecOps) team when the incident is managed.
createdDateTime DateTimeOffset Time when the incident was first created.
customTags String collection The collection of custom tags that are associated with an incident.
description String Description of the incident.
description String A rich text String that describes the incident
determination microsoft.graph.security.alertDetermination Specifies the determination of the incident. Possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue.
displayName String The incident name.
id String Unique identifier to represent the incident.
incidentWebUrl String The URL for the incident page in the Microsoft 365 Defender portal.
lastModifiedBy String The identity that last modified the incident.
lastUpdateDateTime DateTimeOffset Time when the incident was last updated.
recommendedActions String A rich text string that represents the actions that are reccomnded to take in order to resolve the incident.
recommendedHuntingQueries Collection(microsoft.graph.security.recommendedHuntingQuery) List of hunting Kusto Query Language (KQL) queries related to the incident.
redirectIncidentId String Only populated in case an incident is grouped together with another incident, as part of the logic that processes incidents. In such a case, the status property is redirected.
resolvingComment String User input that explains the resolution of the incident and the classification choice. This property contains free editable text.
severity alertSeverity Indicates the possible impact on assets. The higher the severity, the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: unknown, informational, low, medium, high, unknownFutureValue.
status microsoft.graph.security.incidentStatus The status of the incident. Possible values are: active, resolved, inProgress, redirected, unknownFutureValue, and awaitingAction.
summary String The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack.
systemTags String collection The collection of system tags that are associated with the incident.
tenantId String The Microsoft Entra tenant in which the alert was created.

incidentStatus values

The following table lists the members of an evolvable enumeration. You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: awaitingAction.

Member Description
active The incident is in active state.
resolved The incident is in resolved state.
inProgress The incident is in mitigation progress.
redirected The incident was merged with another incident. The target incident ID appears in the redirectIncidentId property.
unknownFutureValue Evolvable enumeration sentinel value. Don't use.
awaitingAction This incident requires actions from Defender Experts awaiting your action. Only Microsoft 365 Defender experts can set this status.

Relationships

Relationship Type Description
alerts microsoft.graph.security.alert collection The list of related alerts. Supports $expand.

JSON representation

The following JSON representation shows the resource type.

{
  "@odata.type": "#microsoft.graph.security.incident",
  "assignedTo": "String",
  "classification": "String",
  "comments": [{"@odata.type": "microsoft.graph.security.alertComment"}],
  "createdDateTime": "String (timestamp)",
  "customTags": ["String"],
  "description" : "String",
  "determination": "String",
  "displayName": "String",
  "id": "String (identifier)",
  "incidentWebUrl": "String",
  "lastModifiedBy": "String",
  "lastUpdateDateTime": "String (timestamp)",
  "recommendedActions" : "String",
  "recommendedHuntingQueries" : [{"@odata.type": "microsoft.graph.security.recommendedHuntingQuery"}],
  "redirectIncidentId": "String",
  "resolvingComment": "String",
  "severity": "String",
  "status": "String",
  "summary": "String",
  "systemTags" : ["String"],
  "tenantId": "String"
}