Documentation Index
Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
Use this file to discover all available pages before exploring further.
Create or update an incident.
Note, If you receive the error message A new version of Microsoft XDR incident is available. Fetch the new version and try again, first run the Get Incident action using the same incident ID, then retry this action.
Basic Parameters
| Parameter | Description |
|---|
| Incident ID | Incident ID to upsert. If doesn’t exist, creates the incident with the given ID and properties. Otherwise, updates it. |
| Resource Group Name | The name of the resource group. The name is case insensitive. |
| Severity | The severity of the incident. |
| Status | The status of the incident. |
| Subscription ID | The ID of the target subscription. |
| Title | The title of the incident. |
| Workspace Name | The name of the workspace. |
Advanced Parameters
| Parameter | Description |
|---|
| Classification | The reason the incident was closed. |
| Classification Comment | Describes the reason the incident was closed. |
| Classification Reason | The classification reason the incident was closed with. |
| Description | The description of the incident. |
| Owner Object ID | The object id of the user the incident is assigned to. |
Example Output
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"",
"type": "Microsoft.SecurityInsights/incidents",
"properties": {
"title": "My incident",
"severity": "High",
"status": "Closed",
"classification": "FalsePositive",
"classificationReason": "IncorrectAlertLogic",
"classificationComment": "Not a malicious activity",
"owner": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"assignedTo": "john doe",
"userPrincipalName": "john@contoso.com"
},
"labels": [],
"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
"createdTimeUtc": "2019-01-01T13:15:30Z",
"incidentNumber": 3177,
"additionalData": {
"alertsCount": 0,
"bookmarksCount": 0,
"commentsCount": 3,
"alertProductNames": [],
"tactics": []
},
"relatedAnalyticRuleIds": [],
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"providerName": "<string>",
"providerIncidentId": "<string>",
"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
"description": "This is a demo incident"
}
}
Workflow Library Example
Create or Update Incident with Microsoft Sentinel and Send Results Via Email
