Incidents - List

Gets all incidents.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter={$filter}&$orderby={$orderby}&$top={$top}&$skipToken={$skipToken}

URI Parameters

Name In Required Type Description
resourceGroupName
path True
  • string

The name of the resource group within the user's subscription. The name is case insensitive.

Regex pattern: ^[-\w\._\(\)]+$

subscriptionId
path True
  • string

Azure subscription ID

Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$

workspaceName
path True
  • string

The name of the workspace.

api-version
query True
  • string

API version for the operation

$filter
query
  • string

Filters the results, based on a Boolean condition. Optional.

$orderby
query
  • string

Sorts the results. Optional.

$skipToken
query
  • string

Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.

$top
query
  • integer
int32

Returns only the first n results. Optional.

Responses

Name Type Description
200 OK

OK, Operation successfully completed

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get all incidents.

Sample Request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$orderby=properties/createdTimeUtc desc&$top=1

Sample Response

{
  "value": [
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
      "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
      "type": "Microsoft.SecurityInsights/incidents",
      "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
      "properties": {
        "lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
        "createdTimeUtc": "2019-01-01T13:15:30Z",
        "lastActivityTimeUtc": "2019-01-01T13:05:30Z",
        "firstActivityTimeUtc": "2019-01-01T13:00:30Z",
        "description": "This is a demo incident",
        "title": "My incident",
        "owner": {
          "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
          "email": "john.doe@contoso.com",
          "userPrincipalName": "john@contoso.com",
          "assignedTo": "john doe"
        },
        "severity": "High",
        "classification": "FalsePositive",
        "classificationComment": "Not a malicious activity",
        "classificationReason": "IncorrectAlertLogic",
        "status": "Closed",
        "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
        "incidentNumber": 3177,
        "labels": [],
        "relatedAnalyticRuleIds": [
          "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
          "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
        ],
        "additionalData": {
          "alertsCount": 0,
          "bookmarksCount": 0,
          "commentsCount": 3,
          "alertProductNames": [],
          "tactics": [
            "Persistence"
          ]
        }
      }
    }
  ]
}

Definitions

CloudError

An error response for a resource management request.

ErrorAdditionalInfo

The resource management error additional info.

ErrorResponse

Error Response

Incident

Represents an incident in Azure Security Insights.

IncidentAdditionalData

Incident additional data property bag.

IncidentClassification

The reason the incident was closed

IncidentClassificationReason

The classification reason the incident was closed with

IncidentLabel

Represents an incident label

IncidentLabelType

The type of the label

IncidentList

List all the incidents.

IncidentOwnerInfo

Information on the user an incident is assigned to

IncidentSeverity

The severity of the incident

IncidentStatus

The status of the incident

CloudError

An error response for a resource management request.

Name Type Description
error

Error Response
The error object of the CloudError response

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info
  • object

The additional info.

type
  • string

The additional info type.

ErrorResponse

Error Response

Name Type Description
additionalInfo

The error additional info.

code
  • string

The error code.

details

The error details.

message
  • string

The error message.

target
  • string

The error target.

Incident

Represents an incident in Azure Security Insights.

Name Type Description
etag
  • string

Etag of the azure resource

id
  • string

Azure resource Id

name
  • string

Azure resource name

properties.additionalData

Additional data on the incident

properties.classification

The reason the incident was closed

properties.classificationComment
  • string

Describes the reason the incident was closed

properties.classificationReason

The classification reason the incident was closed with

properties.createdTimeUtc
  • string

The time the incident was created

properties.description
  • string

The description of the incident

properties.firstActivityTimeUtc
  • string

The time of the first activity in the incident

properties.incidentNumber
  • integer

A sequential number

properties.incidentUrl
  • string

The deep-link url to the incident in Azure portal

properties.labels

List of labels relevant to this incident

properties.lastActivityTimeUtc
  • string

The time of the last activity in the incident

properties.lastModifiedTimeUtc
  • string

The last time the incident was updated

properties.owner

Describes a user that the incident is assigned to

properties.relatedAnalyticRuleIds
  • string[]

List of resource ids of Analytic rules related to the incident

properties.severity

The severity of the incident

properties.status

The status of the incident

properties.title
  • string

The title of the incident

type
  • string

Azure resource type

IncidentAdditionalData

Incident additional data property bag.

Name Type Description
alertProductNames
  • string[]

List of product names of alerts in the incident

alertsCount
  • integer

The number of alerts in the incident

bookmarksCount
  • integer

The number of bookmarks in the incident

commentsCount
  • integer

The number of comments in the incident

tactics
  • string[]

The tactics associated with incident

IncidentClassification

The reason the incident was closed

Name Type Description
BenignPositive
  • string

Incident was benign positive

FalsePositive
  • string

Incident was false positive

TruePositive
  • string

Incident was true positive

Undetermined
  • string

Incident classification was undetermined

IncidentClassificationReason

The classification reason the incident was closed with

Name Type Description
InaccurateData
  • string

Classification reason was inaccurate data

IncorrectAlertLogic
  • string

Classification reason was incorrect alert logic

SuspiciousActivity
  • string

Classification reason was suspicious activity

SuspiciousButExpected
  • string

Classification reason was suspicious but expected

IncidentLabel

Represents an incident label

Name Type Description
labelName
  • string

The name of the label

labelType

The type of the label

IncidentLabelType

The type of the label

Name Type Description
System
  • string

Label automatically created by the system

User
  • string

Label manually created by a user

IncidentList

List all the incidents.

Name Type Description
nextLink
  • string

URL to fetch the next set of incidents.

value

Array of incidents.

IncidentOwnerInfo

Information on the user an incident is assigned to

Name Type Description
assignedTo
  • string

The name of the user the incident is assigned to.

email
  • string

The email of the user the incident is assigned to.

objectId
  • string

The object id of the user the incident is assigned to.

userPrincipalName
  • string

The user principal name of the user the incident is assigned to.

IncidentSeverity

The severity of the incident

Name Type Description
High
  • string

High severity

Informational
  • string

Informational severity

Low
  • string

Low severity

Medium
  • string

Medium severity

IncidentStatus

The status of the incident

Name Type Description
Active
  • string

An active incident which is being handled

Closed
  • string

A non-active incident

New
  • string

An active incident which isn't being handled currently