Get Incident

5 min

description retrieve a specific microsoft defender incident by its unique id, using the incident's id as a path parameter endpoint url api/incidents/{{id}} method get inputs path parameters (object) – required id (number) – required incident id output example \[ { "@odata context" "https //api security microsoft com/api/$metadata#incidents/$entity", "incidentid" 437, "incidenturi" "https //security microsoft com/incidents/437?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "unfamiliar sign in properties involving one user", "createdtime" "2023 05 10t09 33 15 32z", "lastupdatetime" "2023 05 10t09 33 15 53z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "active", "severity" "high", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "ad3ef58dc561c3234527be2d9ff82524a967a5fb1c", "provideralertid" "039e0aead168175b4945b6eb116391f45e0701ea8777529e1b9bce5992760803", "incidentid" 437, "servicesource" "aadidentityprotection", "creationtime" "2023 05 10t09 33 14 6226578z", "lastupdatedtime" "2023 05 10t09 33 16 1033333z", "resolvedtime" null, "firstactivity" "2023 05 10t09 29 24 2969531z", "lastactivity" "2023 05 10t09 29 24 2969531z", "title" "unfamiliar sign in properties", "description" "the following properties of this sign in are unfamiliar for the given user asn, browser, device, ip, location, easid, tenantipsubnet", "category" "initialaccess", "status" "new", "severity" "high", "investigationid" null, "investigationstate" "unsupportedalerttype", "classification" null, "determination" null, "detectionsource" "aad", "detectorid" "unfamiliarlocation", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "devices" \[], "entities" \[ { "entitytype" "user", "evidencecreationtime" "2023 05 10t09 33 14 89z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "ip", "evidencecreationtime" "2023 05 10t09 33 14 89z", "verdict" "suspicious", "remediationstatus" "none", "ipaddress" "93 243 188 4" } ] } ] } ] output parameters @odata context (string) incidentid (number) incidenturi (string) redirectincidentid (object) incidentname (string) createdtime (string) lastupdatetime (string) assignedto (object) classification (string) determination (string) status (string) severity (string) tags (array) file name (string) – required file (string) – required comments (array) file name (string) – required file (string) – required alerts (array) alertid (string) provideralertid (string) incidentid (number) servicesource (string) creationtime (string) lastupdatedtime (string) resolvedtime (object) firstactivity (string) lastactivity (string) title (string) description (string) category (string) status (string) severity (string) investigationid (object) investigationstate (string) classification (object) determination (object) detectionsource (string) detectorid (string) assignedto (object) actorname (object) threatfamilyname (object) mitretechniques (array) devices (array) file name (string) – required file (string) – required entities (array) entitytype (string) evidencecreationtime (string) verdict (string) remediationstatus (string) accountname (string) usersid (string) aaduserid (string) userprincipalname (string) ipaddress (string)