Skip to main content
Retrieves the properties and relationships of an incident object.
  • Least privileged Microsoft Graph permission to access the action via application: SecurityIncident.Read.All.
  • Higher privileged Microsoft Graph permission to access the action via application: SecurityIncident.ReadWrite.All.
External DocumentationTo learn more, visit the Microsoft Defender XDR documentation.

Parameters

ParameterDescription
Incident IDThe ID of the incident, can be obtained via the List Incidents action.

Example Output

{
	"@odata.type": "#microsoft.graph.incident",
	"id": "2972395",
	"incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
	"redirectIncidentId": null,
	"displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
	"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
	"createdDateTime": "2021-08-13T08:43:35.5533333Z",
	"lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
	"assignedTo": "KaiC@contoso.com",
	"classification": "TruePositive",
	"determination": "MultiStagedAttack",
	"status": "Active",
	"severity": "Medium",
	"customTags": [
		"Demo"
	],
	"comments": [
		{
			"comment": "Demo incident",
			"createdBy": "DavidS@contoso.com",
			"createdTime": "2021-09-30T12:07:37.2756993Z"
		}
	],
	"systemTags": [
		"Defender Experts"
	],
	"description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...",
	"lastModifiedBy": "DavidS@contoso.onmicrosoft.com",
	"summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal."
}

Workflow Library Example

Get Incident with Microsoft Defender Xdr and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop