Skip to main content
Update the properties of an incident object. Supply only the values for properties that should be updated.
  • Least privileged Microsoft Graph permission to access the action via application: SecurityIncident.ReadWrite.All*.
External DocumentationTo learn more, visit the Microsoft Defender XDR documentation.

Basic Parameters

ParameterDescription
Assigned ToOwner of the incident, or null if no owner is assigned.
ClassificationThe specification for the incident.
DeterminationSpecifies the determination of the incident.
Incident IDThe ID of the incident, can be obtained via the List Incidents action.
StatusThe status of the incident.
SummaryThe overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack.

Advanced Parameters

ParameterDescription
Custom TagsA comma separated list of custom tags associated with an incident.

Example Output

{
	"@odata.type": "#microsoft.graph.incident",
	"id": "2972395",
	"incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
	"redirectIncidentId": null,
	"displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
	"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
	"createdDateTime": "2021-08-13T08:43:35.5533333Z",
	"lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
	"assignedTo": "KaiC@contoso.com",
	"classification": "TruePositive",
	"determination": "MultiStagedAttack",
	"status": "Active",
	"severity": "Medium",
	"customTags": [
		"Demo"
	],
	"comments": [
		{
			"comment": "Demo incident",
			"createdBy": "DavidS@contoso.com",
			"createdTime": "2021-09-30T12:07:37.2756993Z"
		}
	],
	"systemTags": [
		"Defender Experts"
	],
	"description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...",
	"summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal."
}

Workflow Library Example

Update Incident with Microsoft Defender Xdr and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop