Triggers a workflow on a new incident.

Workflows based on this trigger will search for new events every minute.

Parameters

ParameterDescription
Resource Group NameThe name of the resource group. The name is case insensitive.
Subscription IDThe ID of the target subscription.
Workspace NameThe name of the workspace.

Sample Event

{
	"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
	"type": "Microsoft.SecurityInsights/incidents",
	"properties": {
		"title": "My incident",
		"description": "This is a demo incident",
		"severity": "High",
		"status": "Closed",
		"classification": "FalsePositive",
		"classificationReason": "InaccurateData",
		"classificationComment": "Not a malicious activity",
		"owner": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john.doe@contoso.com",
			"assignedTo": "john doe",
			"userPrincipalName": "john@contoso.com",
			"ownerType": "User"
		},
		"labels": [],
		"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
		"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
		"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
		"createdTimeUtc": "2019-01-01T13:15:30Z",
		"incidentNumber": 3177,
		"additionalData": {
			"alertsCount": 0,
			"bookmarksCount": 0,
			"commentsCount": 3,
			"alertProductNames": [],
			"tactics": [
				"InitialAccess",
				"Persistence"
			],
			"techniques": [
				"T1091",
				"T1133",
				"T1053"
			],
			"providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f"
		},
		"relatedAnalyticRuleIds": [
			"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7"
		],
		"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
		"providerName": "Azure Sentinel",
		"providerIncidentId": "3177"
	}
}