> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Incident

Retrieves the properties and relationships of an incident object.

* **Least privileged** Microsoft Graph permission to access the action via **application**: `SecurityIncident.Read.All`.
* **Higher privileged** Microsoft Graph permission to access the action via **application**: `SecurityIncident.ReadWrite.All`.

<Note>
  External Documentation

  To learn more, visit the [Microsoft Defender XDR documentation](https://learn.microsoft.com/en-us/graph/api/security-incident-get?view=graph-rest-1.0\&tabs=http).
</Note>

## Parameters

<div className="integrations-table">
  | Parameter   | Description                                                              |
  | ----------- | ------------------------------------------------------------------------ |
  | Incident ID | The ID of the incident, can be obtained via the `List Incidents` action. |
</div>

## Example Output

```json theme={"dark"}
{
	"@odata.type": "#microsoft.graph.incident",
	"id": "2972395",
	"incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
	"redirectIncidentId": null,
	"displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
	"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
	"createdDateTime": "2021-08-13T08:43:35.5533333Z",
	"lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
	"assignedTo": "KaiC@contoso.com",
	"classification": "TruePositive",
	"determination": "MultiStagedAttack",
	"status": "Active",
	"severity": "Medium",
	"customTags": [
		"Demo"
	],
	"comments": [
		{
			"comment": "Demo incident",
			"createdBy": "DavidS@contoso.com",
			"createdTime": "2021-09-30T12:07:37.2756993Z"
		}
	],
	"systemTags": [
		"Defender Experts"
	],
	"description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...",
	"lastModifiedBy": "DavidS@contoso.onmicrosoft.com",
	"summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal."
}
```

## Workflow Library Example

[Get Incident with Microsoft Defender Xdr and Send Results Via Email](https://library.blinkops.com/workflows/get-incident-with-microsoft-defender-xdr-and-send-results-via-email)

<div className="iframe-wrapper">
  <div className="iframe-media">
    <img src="https://mintcdn.com/blinkops-2/ojHYuDeYX5FWuN8a/img/Icons/play-box.svg?fit=max&auto=format&n=ojHYuDeYX5FWuN8a&q=85&s=b8af968e71438a9499c3223c9bd29fb2" alt="Workflow Library" width="16" height="16" data-path="img/Icons/play-box.svg" />

    Preview this Workflow on desktop
  </div>

  <iframe className="iframe" src="https://library.blinkops.com/workflows/get-incident-with-microsoft-defender-xdr-and-send-results-via-email/canvas" />
</div>
