Get Incident

6 min

description retrieves detailed information for a specified incident in microsoft azure sentinel using subscription id, resource group, workspace name, and incident id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}} method get inputs path parameters (object) – required path parameters subscriptionid (string) – required the id of the target subscription resourcegroupname (string) – required the name of the resource group the name is case insensitive workspacename (string) – required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid (string) – required incident id parameters (object) – required url query parameters api version (string) – required the api version to use for this action output example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription reads" "11999", "x ms request id" "80a0943c 0eaa 4a3d bac9 1e4e4eae73db", "x ms correlation request id" "80a0943c 0eaa 4a3d bac9 1e4e4eae73db", "x ms routing request id" "southindia 20230729t122616z 80a0943c 0eaa 4a3d bac9 1e4e4eae73db", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 12 26 16 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/incidents/73e01a99 5cd7 4139 a149 9f2736ff2ab5", "name" "73e01a99 5cd7 4139 a149 9f2736ff2ab5", "type" "microsoft securityinsights/incidents", "etag" "\\"0300bf09 0000 0000 0000 5c37296e0000\\"", "properties" { "lastmodifiedtimeutc" "2019 01 01t13 15 30z", "createdtimeutc" "2019 01 01t13 15 30z", "lastactivitytimeutc" "2019 01 01t13 05 30z", "firstactivitytimeutc" "2019 01 01t13 00 30z", "description" "this is a demo incident", "title" "my incident", "owner" { "objectid" "2046feea 040d 4a46 9e2b 91c2941bfa70", "email" "john doe\@contoso com", "userprincipalname" "john\@contoso com", "assignedto" "john doe" }, "severity" "high", "classification" "falsepositive", "classificationcomment" "not a malicious activity", "classificationreason" "inaccuratedata", "status" "closed", "incidenturl" "https //portal azure com/#asset/microsoft azure security insights/incident/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/incidents/73e01a99 5cd7 4139 a149 9f2736ff2ab5", "incidentnumber" 3177, "labels" \[], "providername" "azure sentinel", "providerincidentid" "3177", "relatedanalyticruleids" \[ "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/alertrules/fab3d2d4 747f 46a7 8ef0 9c0be8112bf7" ], "additionaldata" { "alertscount" 0, "bookmarkscount" 0, "commentscount" 3, "alertproductnames" \[], "tactics" \[ "initialaccess", "persistence" ] } } } } ] output parameters status code (number) reason (string) json body (object) id (string) name (string) type (string) etag (string) properties (object) lastmodifiedtimeutc (string) createdtimeutc (string) lastactivitytimeutc (string) firstactivitytimeutc (string) description (string) title (string) owner (object) objectid (string) email (string) userprincipalname (string) assignedto (string) severity (string) classification (string) classificationcomment (string) classificationreason (string) status (string) incidenturl (string) incidentnumber (number) labels (array) file name (string) – required file (string) – required providername (string) providerincidentid (string) relatedanalyticruleids (array) additionaldata (object) alertscount (number) bookmarkscount (number) commentscount (number) alertproductnames (array) file name (string) – required file (string) – required tactics (array) response headers header type cache control string pragma string transfer encoding string content type string content encoding string expires string vary string server string x ms ratelimit remaining subscription reads string x ms request id string x ms correlation request id string x ms routing request id string strict transport security string x content type options string date string

Get Incident Comment

Get Saved Searches