Skip to main content

Get Incident

Gets a given incident.

External Documentation

To learn more, visit the Microsoft Sentinel documentation.

Parameters

ParameterDescription
Incident IDIncident ID.
Resource Group NameThe name of the resource group. The name is case insensitive.
Subscription IDThe ID of the target subscription.
Workspace NameThe name of the workspace. Use the Log Analytics List Workspaces action to get workspace names.

Example Output

{
    "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
    "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
    "type": "Microsoft.SecurityInsights/incidents",
    "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
    "properties": {
        "lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
        "createdTimeUtc": "2019-01-01T13:15:30Z",
        "lastActivityTimeUtc": "2019-01-01T13:05:30Z",
        "firstActivityTimeUtc": "2019-01-01T13:00:30Z",
        "description": "This is a demo incident",
        "title": "My incident",
        "owner": {
            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
            "email": "john.doe@contoso.com",
            "userPrincipalName": "john@contoso.com",
            "assignedTo": "john doe"
        },
        "severity": "High",
        "classification": "FalsePositive",
        "classificationComment": "Not a malicious activity",
        "classificationReason": "InaccurateData",
        "status": "Closed",
        "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
        "incidentNumber": 3177,
        "labels": [],
        "relatedAnalyticRuleIds": [
            "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7"
        ],
        "additionalData": {
            "alertsCount": 0,
            "bookmarksCount": 0,
            "commentsCount": 3,
            "alertProductNames": [],
            "tactics": [
                "InitialAccess",
                "Persistence"
            ]
        }
    }
}

Workflow Library Example

Get Incident with Microsoft Sentinel and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop