> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Or Update Incident

Create or update an incident.

**Note**, If you receive the error message `A new version of Microsoft XDR incident is available. Fetch the new version and try again`, first run the `Get Incident` action using the same `incident ID`, then retry this action.

<Note>
  External Documentation

  To learn more, visit the [Microsoft Sentinel documentation](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/create-or-update?view=rest-securityinsights-2023-02-01\&tabs=HTTP).
</Note>

## Basic Parameters

<div className="integrations-table">
  | Parameter           | Description                                                                                                            |
  | ------------------- | ---------------------------------------------------------------------------------------------------------------------- |
  | Incident ID         | Incident ID to upsert. If doesn't exist, creates the incident with the given ID and properties. Otherwise, updates it. |
  | Resource Group Name | The name of the resource group. The name is case insensitive.                                                          |
  | Severity            | The severity of the incident.                                                                                          |
  | Status              | The status of the incident.                                                                                            |
  | Subscription ID     | The ID of the target subscription.                                                                                     |
  | Title               | The title of the incident.                                                                                             |
  | Workspace Name      | The name of the workspace.                                                                                             |
</div>

## Advanced Parameters

<div className="integrations-table">
  | Parameter              | Description                                             |
  | ---------------------- | ------------------------------------------------------- |
  | Classification         | The reason the incident was closed.                     |
  | Classification Comment | Describes the reason the incident was closed.           |
  | Classification Reason  | The classification reason the incident was closed with. |
  | Description            | The description of the incident.                        |
  | Owner Object ID        | The object id of the user the incident is assigned to.  |
</div>

## Example Output

```json theme={"dark"}
{
	"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"",
	"type": "Microsoft.SecurityInsights/incidents",
	"properties": {
		"title": "My incident",
		"severity": "High",
		"status": "Closed",
		"classification": "FalsePositive",
		"classificationReason": "IncorrectAlertLogic",
		"classificationComment": "Not a malicious activity",
		"owner": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john.doe@contoso.com",
			"assignedTo": "john doe",
			"userPrincipalName": "john@contoso.com"
		},
		"labels": [],
		"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
		"createdTimeUtc": "2019-01-01T13:15:30Z",
		"incidentNumber": 3177,
		"additionalData": {
			"alertsCount": 0,
			"bookmarksCount": 0,
			"commentsCount": 3,
			"alertProductNames": [],
			"tactics": []
		},
		"relatedAnalyticRuleIds": [],
		"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
		"providerName": "<string>",
		"providerIncidentId": "<string>",
		"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
		"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
		"description": "This is a demo incident"
	}
}
```

## Workflow Library Example

[Create or Update Incident with Microsoft Sentinel and Send Results Via Email](https://library.blinkops.com/workflows/create-or-update-incident-with-microsoft-sentinel-and-send-results-via-email)

<div className="iframe-wrapper">
  <div className="iframe-media">
    <img src="https://mintcdn.com/blinkops-2/ojHYuDeYX5FWuN8a/img/Icons/play-box.svg?fit=max&auto=format&n=ojHYuDeYX5FWuN8a&q=85&s=b8af968e71438a9499c3223c9bd29fb2" alt="Workflow Library" width="16" height="16" data-path="img/Icons/play-box.svg" />

    Preview this Workflow on desktop
  </div>

  <iframe className="iframe" src="https://library.blinkops.com/workflows/create-or-update-incident-with-microsoft-sentinel-and-send-results-via-email/canvas" />
</div>
