Skip to main content
Get all comments for a given incident.
External DocumentationTo learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

ParameterDescription
Incident IDThe ID of the incident, can be obtained by using the List Incidents action.
Resource Group NameThe name of the resource group. The name is case insensitive.
Return All PagesAutomatically fetch all resources, page by page.
Subscription IDThe ID of the target subscription.
Workspace NameThe name of the workspace.

Advanced Parameters

ParameterDescription
FilterFilter the results by inserting a query.

Note: You can filter only based on properties attributes.

Example: properties/message eq 'messageContent'
Order BySort the results by inserting a query.

Example: properties/createdTimeUtc desc.
Skip TokenSpecifies a starting point to show results from, this token is received in case that the previous request returned a partial result.
TopReturn Only the first n results.

Example Output

{
	"results": [
		{
			"etag": "0300bf09-0000-0000-0000-5c37296e0000",
			"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014",
			"name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014",
			"properties": {
				"author": {
					"email": "john.doe@contoso.com",
					"name": "john doe",
					"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
					"userPrincipalName": "john@contoso.com"
				},
				"createdTimeUtc": "2019-01-01T13:15:30Z",
				"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
				"message": "Some message"
			},
			"type": "Microsoft.SecurityInsights/incidents/comments"
		}
	]
}

Workflow Library Example

List Incident Comments with Microsoft Sentinel and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop