Incidents - List
Gets all incidents.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2025-03-01GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2025-03-01&$filter={$filter}&$orderby={$orderby}&$top={$top}&$skipToken={$skipToken}URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
resource
|
path | True |
string minLength: 1maxLength: 90 |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string (uuid) |
The ID of the target subscription. The value must be an UUID. |
|
workspace
|
path | True |
string minLength: 1maxLength: 90 pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$ |
The name of the workspace. |
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
|
$filter
|
query |
string |
Filters the results, based on a Boolean condition. Optional. |
|
|
$orderby
|
query |
string |
Sorts the results. Optional. |
|
|
$skip
|
query |
string |
Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. |
|
|
$top
|
query |
integer (int32) maximum: 1000 |
Returns only the first n results. Optional. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK, Operation successfully completed |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Get all incidents.
Sample request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents?api-version=2025-03-01&$orderby=properties/createdTimeUtc desc&$top=1
Sample response
{
"value": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/incidents",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
"createdTimeUtc": "2019-01-01T13:15:30Z",
"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
"description": "This is a demo incident",
"title": "My incident",
"owner": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"userPrincipalName": "john@contoso.com",
"assignedTo": "john doe"
},
"severity": "High",
"classification": "FalsePositive",
"classificationComment": "Not a malicious activity",
"classificationReason": "IncorrectAlertLogic",
"status": "Closed",
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"incidentNumber": 3177,
"labels": [],
"providerName": "Azure Sentinel",
"providerIncidentId": "3177",
"relatedAnalyticRuleIds": [
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
],
"additionalData": {
"alertsCount": 0,
"bookmarksCount": 0,
"commentsCount": 3,
"alertProductNames": [],
"tactics": [
"Persistence"
]
}
}
}
]
}Definitions
| Name | Description |
|---|---|
|
Attack |
The severity for alerts created by this alert rule. |
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
|
created |
The type of identity that created the resource. |
| Incident |
Represents an incident in Azure Security Insights. |
|
Incident |
Incident additional data property bag. |
|
Incident |
The reason the incident was closed |
|
Incident |
The classification reason the incident was closed with |
|
Incident |
Represents an incident label |
|
Incident |
The type of the label |
|
Incident |
List all the incidents. |
|
Incident |
Information on the user an incident is assigned to |
|
Incident |
The severity of the incident |
|
Incident |
The status of the incident |
|
Owner |
The type of the owner the incident is assigned to. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
AttackTactic
The severity for alerts created by this alert rule.
| Value | Description |
|---|---|
| Collection | |
| CommandAndControl | |
| CredentialAccess | |
| DefenseEvasion | |
| Discovery | |
| Execution | |
| Exfiltration | |
| Impact | |
| ImpairProcessControl | |
| InhibitResponseFunction | |
| InitialAccess | |
| LateralMovement | |
| Persistence | |
| PreAttack | |
| PrivilegeEscalation | |
| Reconnaissance | |
| ResourceDevelopment |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| Application | |
| Key | |
| ManagedIdentity | |
| User |
Incident
Represents an incident in Azure Security Insights.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string (arm-id) |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| name |
string |
The name of the resource |
| properties.additionalData |
Additional data on the incident |
|
| properties.classification |
The reason the incident was closed |
|
| properties.classificationComment |
string |
Describes the reason the incident was closed |
| properties.classificationReason |
The classification reason the incident was closed with |
|
| properties.createdTimeUtc |
string (date-time) |
The time the incident was created |
| properties.description |
string |
The description of the incident |
| properties.firstActivityTimeUtc |
string (date-time) |
The time of the first activity in the incident |
| properties.incidentNumber |
integer (int32) |
A sequential number |
| properties.incidentUrl |
string |
The deep-link url to the incident in Azure portal |
| properties.labels |
List of labels relevant to this incident |
|
| properties.lastActivityTimeUtc |
string (date-time) |
The time of the last activity in the incident |
| properties.lastModifiedTimeUtc |
string (date-time) |
The last time the incident was updated |
| properties.owner |
Describes a user that the incident is assigned to |
|
| properties.providerIncidentId |
string |
The incident ID assigned by the incident provider |
| properties.providerName |
string |
The name of the source provider that generated the incident |
| properties.relatedAnalyticRuleIds |
string[] (arm-id) |
List of resource ids of Analytic rules related to the incident |
| properties.severity |
The severity of the incident |
|
| properties.status |
The status of the incident |
|
| properties.title |
string |
The title of the incident |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
IncidentAdditionalData
Incident additional data property bag.
| Name | Type | Description |
|---|---|---|
| alertProductNames |
string[] |
List of product names of alerts in the incident |
| alertsCount |
integer (int32) |
The number of alerts in the incident |
| bookmarksCount |
integer (int32) |
The number of bookmarks in the incident |
| commentsCount |
integer (int32) |
The number of comments in the incident |
| providerIncidentUrl |
string |
The provider incident url to the incident in Microsoft 365 Defender portal |
| tactics |
The tactics associated with incident |
IncidentClassification
The reason the incident was closed
| Value | Description |
|---|---|
| BenignPositive |
Incident was benign positive |
| FalsePositive |
Incident was false positive |
| TruePositive |
Incident was true positive |
| Undetermined |
Incident classification was undetermined |
IncidentClassificationReason
The classification reason the incident was closed with
| Value | Description |
|---|---|
| InaccurateData |
Classification reason was inaccurate data |
| IncorrectAlertLogic |
Classification reason was incorrect alert logic |
| SuspiciousActivity |
Classification reason was suspicious activity |
| SuspiciousButExpected |
Classification reason was suspicious but expected |
IncidentLabel
Represents an incident label
| Name | Type | Description |
|---|---|---|
| labelName |
string |
The name of the label |
| labelType |
The type of the label |
IncidentLabelType
The type of the label
| Value | Description |
|---|---|
| AutoAssigned |
Label automatically created by the system |
| User |
Label manually created by a user |
IncidentList
List all the incidents.
| Name | Type | Description |
|---|---|---|
| nextLink |
string |
URL to fetch the next set of incidents. |
| value |
Incident[] |
Array of incidents. |
IncidentOwnerInfo
Information on the user an incident is assigned to
| Name | Type | Description |
|---|---|---|
| assignedTo |
string |
The name of the user the incident is assigned to. |
|
string |
The email of the user the incident is assigned to. |
|
| objectId |
string (uuid) |
The object id of the user the incident is assigned to. |
| ownerType |
The type of the owner the incident is assigned to. |
|
| userPrincipalName |
string |
The user principal name of the user the incident is assigned to. |
IncidentSeverity
The severity of the incident
| Value | Description |
|---|---|
| High |
High severity |
| Informational |
Informational severity |
| Low |
Low severity |
| Medium |
Medium severity |
IncidentStatus
The status of the incident
| Value | Description |
|---|---|
| Active |
An active incident which is being handled |
| Closed |
A non-active incident |
| New |
An active incident which isn't being handled currently |
OwnerType
The type of the owner the incident is assigned to.
| Value | Description |
|---|---|
| Group |
The incident owner type is an AAD group |
| Unknown |
The incident owner type is unknown |
| User |
The incident owner type is an AAD user |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string (date-time) |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string (date-time) |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |