SecurityIncident.Read.All | Graph Permissions

Permission Details

Application Permission

Read all security incidents

Allows the app to read all security incidents, without a signed-in user.

Permission ID: 45cc0394-e837-488b-a098-1918f48d186c

Delegated Permission

Read incidents

Allows the app to read security incidents, on behalf of the signed-in user.

Permission ID: b9abcc4f-94fc-4457-9141-d20ce80ec952

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property	Type	Description
`assignedTo`	`String`Nullable	Owner of the incident, or null if no owner is assigned. Free editable text.
`classification`	`security.alertClassification`	The specification for the incident. The possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue.
`comments`	`security.alertComment collection`	Array of comments created by the Security Operations (SecOps) team when the incident is managed.
`createdDateTime`	`DateTimeOffset`	Time when the incident was first created.
`customTags`	`String collection`	Array of custom tags associated with an incident.
`description`	`String`Nullable	Description of the incident.
`determination`	`security.alertDetermination`	Specifies the determination of the incident. The possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue.
`displayName`	`String`Nullable	The incident name.
`id`	`String`	Unique identifier to represent the incident.
`incidentWebUrl`	`String`Nullable	The URL for the incident page in the Microsoft 365 Defender portal.
`lastModifiedBy`	`String`Nullable	The identity that last modified the incident.
`lastUpdateDateTime`	`DateTimeOffset`	Time when the incident was last updated.
`priorityScore`	`Int`Nullable	A priority score for the incident from 0 to 100, with 85 being the top priority, 15 - 85 medium priority, and < 15 low priority. This score is generated using machine learning and is based on multiple factors, including severity, disruption impact, threat intelligence, alert types, asset criticality, threat analytics, incident rarity, and additional priority signals. The value can also be null which indicates the feature is not open for the tenant or the value of the score is pending calculation.
`redirectIncidentId`	`String`Nullable	Only populated in case an incident is grouped with another incident, as part of the logic that processes incidents. In such a case, the status property is redirected.
`resolvingComment`	`String`Nullable	User input that explains the resolution of the incident and the classification choice. This property contains free editable text.

Showing 15 of 21 properties.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation

{
  "@odata.type": "#microsoft.graph.security.incident",
  "assignedTo": "String",
  "classification": "String",
  "comments": [
    {
      "@odata.type": "microsoft.graph.security.alertComment"
    }
  ],
  "createdDateTime": "String (timestamp)",
  "customTags": [
    "String"
  ],
  "description": "String",
  "determination": "String",
  "displayName": "String",
  "id": "String (identifier)",
  "incidentWebUrl": "String",
  "lastModifiedBy": "String",
  "lastUpdateDateTime": "String (timestamp)",
  "redirectIncidentId": "String",
  "resolvingComment": "String",
  "severity": "String",
  "status": "String",
  "summary": "String",
  "systemTags": [
    "String"
  ],
  "tenantId": "String",
  "priorityScore": "Int"
}

Relationships

Microsoft Graph v1.0 exact-category-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship	Type	Description
`alerts`	`security.alert collection`	The list of related alerts. Supports $expand.
`comments`	`security.alertComment collection`	Array of comments created by the Security Operations (SecOps) team when the incident is managed.
`customTags`	`string collection`	Array of custom tags associated with an incident.
`severity`	`security.alertSeverity`	Related severity data exposed by this resource.
`status`	`security.incidentStatus`	Related status data exposed by this resource.
`systemTags`	`string collection`	The system tags associated with the incident.
`recommendedHuntingQueries`	`security.recommendedHuntingQuery collection`	List of hunting Kusto Query Language (KQL) queries related to the incident.

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/security/incidents`
GET `/security/incidents/{incidentId}`

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/security/incidents`
GET `/security/incidents/{incidentId}`

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgSecurityIncident` /security/incidents List incidents
`Get-MgSecurityIncident` /security/incidents/{incidentId} Get incident

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgBetaSecurityIncident` /security/incidents List incidents
`Get-MgBetaSecurityIncident` /security/incidents/{incidentId} Get incident

Code Examples

C# / .NET SDK

Get incident

View official example on Microsoft Learn

// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Incidents["{incident-id}"].GetAsync();

JavaScript

Get incident

View official example on Microsoft Learn

const options = {
	authProvider,
};

const client = Client.init(options);

let incident = await client.api('/security/incidents/29')
	.get();

PowerShell

Get incident

View official example on Microsoft Learn

Import-Module Microsoft.Graph.Security

Get-MgSecurityIncident -IncidentId $incidentId

Python

Get incident

View official example on Microsoft Learn

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

result = await graph_client.security.incidents.by_incident_id('incident-id').get()

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for SecurityIncident.Read.All

4

Grant Admin Consent

Application permissions always require admin consent.