Create Or Update Incident
Creates or updates an incident.
External Documentation
To learn more, visit the Microsoft Sentinel documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Incident ID | Incident ID to upsert. If doesn't exist, creates the incident with the given ID and properties. Otherwise, updates it. |
| Resource Group Name | The name of the resource group. The name is case insensitive. |
| Severity | The severity of the incident. |
| Status | The status of the incident. |
| Subscription ID | The ID of the target subscription. |
| Title | The title of the incident. |
| Workspace Name | The name of the workspace. Use the Log Analytics List Workspaces action to get workspace names. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Classification | The reason the incident was closed. |
| Classification Comment | Describes the reason the incident was closed. |
| Classification Reason | The classification reason the incident was closed with. |
| Description | The description of the incident. |
| Owner Object ID | The object id of the user the incident is assigned to. |
Example Output
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/incidents",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"",
"properties": {
"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
"createdTimeUtc": "2019-01-01T13:15:30Z",
"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
"description": "This is a demo incident",
"title": "My incident",
"owner": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"userPrincipalName": "john@contoso.com",
"assignedTo": "john doe"
},
"severity": "High",
"classification": "FalsePositive",
"classificationComment": "Not a malicious activity",
"classificationReason": "IncorrectAlertLogic",
"status": "Closed",
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"incidentNumber": 3177,
"labels": [],
"relatedAnalyticRuleIds": [],
"additionalData": {
"alertsCount": 0,
"bookmarksCount": 0,
"commentsCount": 3,
"alertProductNames": [],
"tactics": []
}
}
}
Workflow Library Example
Create or Update Incident with Microsoft Sentinel and Send Results Via Email
Preview this Workflow on desktop