Create or Update Incident

6 min

description create or update an incident in microsoft azure sentinel, specifying subscription id, resource group, workspace name, incident id, and incident properties endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}} method put inputs path parameters (object) – required path parameters subscriptionid (string) – required the id of the target subscription resourcegroupname (string) – required the name of the resource group the name is case insensitive workspacename (string) – required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid (string) – required incident id parameters (object) – required url query parameters api version (string) – required the api version to use for this action json body (object) – required etag (string) properties (object) – required lastactivitytimeutc (string) the time of the last activity in the incident firstactivitytimeutc (string) the time of the first activity in the incident description (string) the description of the incident title (string) – required the title of the incident owner (object) describes a user that the incident is assigned to assignedto (string) email (string) objectid (string) ownertype (string) userprincipalname (string) severity (string) – required the severity of the incident classification (string) the reason the incident was closed classificationcomment (string) describes the reason the incident was closed classificationreason (string) the classification reason the incident was closed with status (string) – required the status of the incident labels (array) list of labels relevant to this incident labelname (string) labeltype (string) output example \[ { "status code" 201, "response headers" { "cache control" "no cache", "pragma" "no cache", "content length" "1480", "content type" "application/json; charset=utf 8", "expires" " 1", "server" "kestrel", "x ms ratelimit remaining subscription resource requests" "499", "x ms request id" "02b3f250 c3ec 47bc 9bf6 13c2233ea13d", "x ms correlation request id" "02b3f250 c3ec 47bc 9bf6 13c2233ea13d", "x ms routing request id" "southindia 20230729t120425z 02b3f250 c3ec 47bc 9bf6 13c2233ea13d", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 12 04 25 gmt" }, "reason" "created", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/incidents/73e01a99 5cd7 4139 a149 9f2736ff2ab5", "name" "73e01a99 5cd7 4139 a149 9f2736ff2ab5", "type" "microsoft securityinsights/incidents", "etag" "\\"0300bf09 0000 0000 0000 5c37296e0001\\"", "properties" { "lastmodifiedtimeutc" "2019 01 01t13 15 30z", "createdtimeutc" "2019 01 01t13 15 30z", "lastactivitytimeutc" "2019 01 01t13 05 30z", "firstactivitytimeutc" "2019 01 01t13 00 30z", "description" "this is a demo incident", "title" "my incident", "owner" { "objectid" "2046feea 040d 4a46 9e2b 91c2941bfa70", "email" "john doe\@contoso com", "userprincipalname" "john\@contoso com", "assignedto" "john doe", "ownertype" "user" }, "severity" "high", "classification" "falsepositive", "classificationcomment" "not a malicious activity", "classificationreason" "incorrectalertlogic", "status" "closed", "incidenturl" "https //portal azure com/#asset/microsoft azure security insights/incident/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/incidents/73e01a99 5cd7 4139 a149 9f2736ff2ab5", "incidentnumber" 3177, "labels" \[ { "labelname" "example label", "labeltype" "autoassigned" } ], "providername" "azure sentinel", "providerincidentid" "3177", "relatedanalyticruleids" \[], "additionaldata" { "alertscount" 0, "bookmarkscount" 0, "commentscount" 3, "alertproductnames" \[], "tactics" \[] } } } } ] output parameters status code (number) reason (string) json body (object) id (string) name (string) type (string) etag (string) properties (object) lastmodifiedtimeutc (string) createdtimeutc (string) lastactivitytimeutc (string) firstactivitytimeutc (string) description (string) title (string) owner (object) objectid (string) email (string) userprincipalname (string) assignedto (string) ownertype (string) severity (string) classification (string) classificationcomment (string) classificationreason (string) status (string) incidenturl (string) incidentnumber (number) labels (array) labelname (string) labeltype (string) providername (string) providerincidentid (string) relatedanalyticruleids (array) file name (string) – required file (string) – required additionaldata (object) alertscount (number) bookmarkscount (number) commentscount (number) alertproductnames (array) file name (string) – required file (string) – required tactics (array) file name (string) – required file (string) – required response headers header type cache control string pragma string content length string content type string expires string server string x ms ratelimit remaining subscription resource requests string x ms request id string x ms correlation request id string x ms routing request id string strict transport security string x content type options string date string

Create or Update Fusion Alert Rule

Create or Update MSSIC Alert Rule