Connectors
...
Actions
Update Incident by ID
6 min
description updates an existing incident's details in microsoft defender, including status, determination, and classification, using the incident id endpoint url api/incidents/{{id}} method patch inputs path parameters (object) – required id (number) – required incident id json body (object) – required status (string) specifies the current status of the incident assignedto (string) owner of the incident classification (string) specification of the incident determination (string) specifies the determination of the incident tags (array) list of incident tags comment (string) comment to be added to the incident output example \[ { "status code" 200, "response headers" { "date" "thu, 05 sep 2024 07 20 44 gmt", "content type" "application/json; odata metadata=minimal; odata streaming=true; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "deflate", "vary" "accept encoding", "odata version" "4 0", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "@odata context" "https //api securitycenter microsoft com/api/$metadata#incidents/$entity", "incidentid" 552, "incidenturi" "https //security microsoft com/incidents/552?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "redirectincidentid" null, "incidentname" "email messages containing malicious file removed after delivery\u200b", "createdtime" "2024 08 30t08 55 32 21z", "lastupdatetime" "2024 09 05t07 20 44 9089383z", "assignedto" null, "classification" "unknown", "determination" "notavailable", "status" "resolved", "severity" "informational", "tags" \[], "comments" \[], "alerts" \[ { "alertid" "fa54978fd8 0fca bf7d 7200 08dcc8d0df02", "provideralertid" "54978fd8 0fca bf7d 7200 08dcc8d0df02", "incidentid" 552, "servicesource" "microsoftdefenderforoffice365", "creationtime" "2024 08 30t08 55 31 9566667z", "lastupdatedtime" "2024 08 30t23 49 40 49z", "resolvedtime" null, "firstactivity" "2024 08 30t08 50 19z", "lastactivity" "2024 08 30t08 52 19z", "title" "email messages containing malicious file removed after delivery\u200b", "description" "emails with malicious file that were delivered and later removed v1 0 0 3", "category" "initialaccess", "status" "inprogress", "severity" "informational", "investigationid" null, "investigationstate" "pendingapproval", "classification" null, "determination" null, "detectionsource" "officeatp", "detectorid" "4b1820ec 39dc 45f3 abf6 5ee80df51fd2", "assignedto" null, "actorname" null, "threatfamilyname" null, "mitretechniques" \[ "t1566 001" ], "devices" \[], "entities" \[ { "entitytype" "mailbox", "evidencecreationtime" "2024 08 30t08 55 32 2433333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com", "mailboxdisplayname" "se pov user", "mailboxaddress" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "file", "evidencecreationtime" "2024 08 30t08 55 32 2433333z", "verdict" "suspicious", "remediationstatus" "none", "sha256" "2a1a921bcd5bd4795f1204ce050bc7c1054273ffc87de9ec00c3949b8bdbce5c", "filename" "2020 01 24 ursnif ma" }, { "entitytype" "mailmessage", "evidencecreationtime" "2024 08 30t08 55 32 2433333z", "verdict" "suspicious", "remediationstatus" "none", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com", "sender" "pov\@swimlane ai", "recipient" "pov\@swimlaneintegrations onmicrosoft com", "subject" "warningis this a phishing email?", "internetmessageid" "\<ph0pr19mb562398f6fb70809e1487fb7fb3972\@ph0pr19mb5623 namprd19 prod outlook com>", "deliveryaction" "blocked" }, { "entitytype" "user", "evidencecreationtime" "2024 08 30t08 55 32 2433333z", "verdict" "suspicious", "remediationstatus" "none", "accountname" "pov", "domainname" "", "usersid" "s 1 12 1 1510799150 1340649529 3182594751 1539246002", "aaduserid" "5a0cf72e b039 4fe8 bf8a b2bdb207bf5b", "userprincipalname" "pov\@swimlaneintegrations onmicrosoft com" }, { "entitytype" "file", "evidencecreationtime" "2024 08 30t09 00 35 9533333z", "verdict" "suspicious", "remediationstatus" "none", "sha256" "2a1a921bcd5bd4795f1204ce050bc7c1054273ffc87de9ec00c3949b8bdbce5c", "filename" "2020 01 24 ursnif malspam example 2 of 4 0750 utc eml" }, { "entitytype" "mailcluster", "evidencecreationtime" "2024 08 30t09 05 50 2133333z", "verdict" "suspicious", "remediationstatus" "none", "clusterby" "subject;senderip;antispamdirection;contenttype", "clusterbyvalue" "warningis this a phishing email?;40 107 95 100;1;1", "emailcount" 1 }, { "entitytype" "mailcluster", "evidencecreationtime" "2024 08 30t09 05 50 2133333z", "verdict" "suspicious", "remediationstatus" "none", "clusterby" "subject;p2senderdomain;antispamdirection;contenttype", "clusterbyvalue" "warningis this a phishing email?;swimlane ai;1;1", "emailcount" 346 }, { "entitytype" "mailcluster", "evidencecreationtime" "2024 08 30t09 05 50 2133333z", "verdict" "suspicious", "remediationstatus" "none", "clusterby" "filehash;contenttype", "clusterbyvalue" "2a1a921bcd5bd4795f1204ce050bc7c1054273ffc87de9ec00c3949b8bdbce5c;1", "emailcount" 6 } ] } ] } } ] output parameters status code (number) reason (string) json body (object) @odata context (string) incidentid (number) incidenturi (string) redirectincidentid (object) incidentname (string) createdtime (string) lastupdatetime (string) assignedto (object) classification (string) determination (string) status (string) severity (string) tags (array) file name (string) – required file (string) – required comments (array) file name (string) – required file (string) – required alerts (array) alertid (string) provideralertid (string) incidentid (number) servicesource (string) creationtime (string) lastupdatedtime (string) resolvedtime (object) firstactivity (string) lastactivity (string) title (string) description (string) category (string) status (string) severity (string) investigationid (object) investigationstate (string) classification (object) determination (object) detectionsource (string) detectorid (string) assignedto (object) actorname (object) threatfamilyname (object) mitretechniques (array) devices (array) file name (string) – required file (string) – required entities (array) entitytype (string) evidencecreationtime (string) verdict (string) remediationstatus (string) accountname (string) usersid (string) aaduserid (string) userprincipalname (string) mailboxdisplayname (string) mailboxaddress (string) sha256 (string) filename (string) sender (string) recipient (string) subject (string) internetmessageid (string) deliveryaction (string) domainname (string) clusterby (string) clusterbyvalue (string) emailcount (number) response headers header type date string content type string transfer encoding string connection string content encoding string vary string odata version string strict transport security string