Skip to main content

New Incident

Triggers a workflow on a new incident.

info

Automations based on this trigger will search for new events every minute.

Parameters

ParameterDescription
Resource Group NameThe name of the resource group. The name is case insensitive.
Subscription IDThe ID of the target subscription.
Workspace NameThe name of the workspace. Use the Log Analytics List Workspaces action to get workspace names.

Sample Event

{
    "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
    "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
    "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
    "type": "Microsoft.SecurityInsights/incidents",
    "properties": {
        "title": "My incident",
        "description": "This is a demo incident",
        "severity": "High",
        "status": "Closed",
        "classification": "FalsePositive",
        "classificationReason": "InaccurateData",
        "classificationComment": "Not a malicious activity",
        "owner": {
            "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
            "email": "john.doe@contoso.com",
            "assignedTo": "john doe",
            "userPrincipalName": "john@contoso.com",
            "ownerType": "User"
        },
        "labels": [],
        "firstActivityTimeUtc": "2019-01-01T13:00:30Z",
        "lastActivityTimeUtc": "2019-01-01T13:05:30Z",
        "lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
        "createdTimeUtc": "2019-01-01T13:15:30Z",
        "incidentNumber": 3177,
        "additionalData": {
            "alertsCount": 0,
            "bookmarksCount": 0,
            "commentsCount": 3,
            "alertProductNames": [],
            "tactics": [
                "InitialAccess",
                "Persistence"
            ],
            "techniques": [
                "T1091",
                "T1133",
                "T1053"
            ],
            "providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f"
        },
        "relatedAnalyticRuleIds": [
            "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7"
        ],
        "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
        "providerName": "Azure Sentinel",
        "providerIncidentId": "3177"
    }
}