Update Incident
Update the properties of an incident object. Supply only the values for properties that should be updated. The least required permission is SecurityIncident.ReadWrite.All.
External Documentation
To learn more, visit the Microsoft Defender XDR documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Assigned To | Owner of the incident, or null if no owner is assigned. |
| Classification | The specification for the incident. |
| Determination | Specifies the determination of the incident. |
| Incident ID | The ID of the incident, can be obtained via the List Incidents action. |
| Status | The status of the incident. |
| Summary | The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Custom Tags | A comma separated list of custom tags associated with an incident. |
Example Output
{
"@odata.type": "#microsoft.graph.incident",
"id": "2972395",
"incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
"redirectIncidentId": null,
"displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"createdDateTime": "2021-08-13T08:43:35.5533333Z",
"lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
"assignedTo": "KaiC@contoso.com",
"classification": "TruePositive",
"determination": "MultiStagedAttack",
"status": "Active",
"severity": "Medium",
"customTags": [
"Demo"
],
"comments": [
{
"comment": "Demo incident",
"createdBy": "DavidS@contoso.com",
"createdTime": "2021-09-30T12:07:37.2756993Z"
}
],
"systemTags": [
"Defender Experts"
],
"description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...",
"summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal."
}
Workflow Library Example
Update Incident with Microsoft Defender Xdr and Send Results Via Email
Preview this Workflow on desktop