Update Incident
Update the properties of an incident object. Supply only the values for properties that should be updated.
- Least privileged Microsoft Graph permission to access the action via application:
SecurityIncident.ReadWrite.All*.
External Documentation
To learn more, visit the Microsoft Defender XDR documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Assigned To | Owner of the incident, or null if no owner is assigned. |
| Classification | The specification for the incident. |
| Determination | Specifies the determination of the incident. |
| Incident ID | The ID of the incident, can be obtained via the List Incidents action. |
| Status | The status of the incident. |
| Summary | The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Custom Tags | A comma separated list of custom tags associated with an incident. |
Example Output
{
"@odata.type": "#microsoft.graph.incident",
"id": "2972395",
"incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
"redirectIncidentId": null,
"displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"createdDateTime": "2021-08-13T08:43:35.5533333Z",
"lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
"assignedTo": "KaiC@contoso.com",
"classification": "TruePositive",
"determination": "MultiStagedAttack",
"status": "Active",
"severity": "Medium",
"customTags": [
"Demo"
],
"comments": [
{
"comment": "Demo incident",
"createdBy": "DavidS@contoso.com",
"createdTime": "2021-09-30T12:07:37.2756993Z"
}
],
"systemTags": [
"Defender Experts"
],
"description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...",
"summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal."
}
Workflow Library Example
Update Incident with Microsoft Defender Xdr and Send Results Via Email
Preview this Workflow on desktop