{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "#/components/schemas/microsoft.graph.security.incident", "title": "microsoft.graph.security.incident", "allOf": [ { "$ref": "#/components/schemas/microsoft.graph.entity" }, { "title": "incident", "required": [ "@odata.type" ], "type": "object", "properties": { "assignedTo": { "type": "string", "description": "Owner of the incident, or null if no owner is assigned. Free editable text.", "nullable": true }, "classification": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.alertClassification" }, { "type": "object", "nullable": true } ], "description": "The specification for the incident. The possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue." }, "comments": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.security.alertComment" }, "description": "Array of comments created by the Security Operations (SecOps) team when the incident is managed." }, "createdDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Time when the incident was first created.", "format": "date-time" }, "customTags": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "Array of custom tags associated with an incident." }, "description": { "type": "string", "description": "Description of the incident.", "nullable": true }, "determination": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.alertDetermination" }, { "type": "object", "nullable": true } ], "description": "Specifies the determination of the incident. The possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue." }, "displayName": { "type": "string", "description": "The incident name.", "nullable": true }, "incidentWebUrl": { "type": "string", "description": "The URL for the incident page in the Microsoft 365 Defender portal.", "nullable": true }, "lastModifiedBy": { "type": "string", "description": "The identity that last modified the incident.", "nullable": true }, "lastUpdateDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Time when the incident was last updated.", "format": "date-time" }, "redirectIncidentId": { "type": "string", "description": "Only populated in case an incident is grouped with another incident, as part of the logic that processes incidents. In such a case, the status property is redirected.", "nullable": true }, "resolvingComment": { "type": "string", "description": "User input that explains the resolution of the incident and the classification choice. This property contains free editable text.", "nullable": true }, "severity": { "$ref": "#/components/schemas/microsoft.graph.security.alertSeverity" }, "status": { "$ref": "#/components/schemas/microsoft.graph.security.incidentStatus" }, "summary": { "type": "string", "description": "The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack.", "nullable": true }, "systemTags": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "The system tags associated with the incident." }, "tenantId": { "type": "string", "description": "The Microsoft Entra tenant in which the alert was created.", "nullable": true }, "alerts": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.security.alert" }, "description": "The list of related alerts. Supports $expand.", "x-ms-navigationProperty": true }, "@odata.type": { "type": "string" } } } ], "x-ms-discriminator-value": "#microsoft.graph.security.incident" }