> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# New Incident

Triggers a workflow on a new incident.

**Endpoint**: `https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents`

<Note>
  Workflows based on this trigger will search for new events **every minute**.
</Note>

## Parameters

<div className="integrations-table">
  | Parameter           | Description                                                   |
  | ------------------- | ------------------------------------------------------------- |
  | Resource Group Name | The name of the resource group. The name is case insensitive. |
  | Subscription ID     | The ID of the target subscription.                            |
  | Workspace Name      | The name of the workspace.                                    |
</div>

## Sample Event

```json theme={"dark"}
{
	"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
	"type": "Microsoft.SecurityInsights/incidents",
	"properties": {
		"title": "My incident",
		"description": "This is a demo incident",
		"severity": "High",
		"status": "Closed",
		"classification": "FalsePositive",
		"classificationReason": "InaccurateData",
		"classificationComment": "Not a malicious activity",
		"owner": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john.doe@contoso.com",
			"assignedTo": "john doe",
			"userPrincipalName": "john@contoso.com",
			"ownerType": "User"
		},
		"labels": [],
		"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
		"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
		"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
		"createdTimeUtc": "2019-01-01T13:15:30Z",
		"incidentNumber": 3177,
		"additionalData": {
			"alertsCount": 0,
			"bookmarksCount": 0,
			"commentsCount": 3,
			"alertProductNames": [],
			"tactics": [
				"InitialAccess",
				"Persistence"
			],
			"techniques": [
				"T1091",
				"T1133",
				"T1053"
			],
			"providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f"
		},
		"relatedAnalyticRuleIds": [
			"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7"
		],
		"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
		"providerName": "Azure Sentinel",
		"providerIncidentId": "3177"
	}
}
```
