ESC
Type to search...
Navigate Open ESC Close

SecurityIncident.ReadWrite.All

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write All Resources

Allows the app to read and write to all security incidents, without a signed-in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read and write to all security incidents

Allows the app to read and write to all security incidents, without a signed-in user.

Permission ID: 34bf0e97-1971-4929-b999-9e2442d941d7
Delegated Permission Admin consent required

Read and write to incidents

Allows the app to read and write security incidents, on behalf of the signed-in user.

User sees: Allows the app to read and write to all security incidents that you have access to.
Permission ID: 128ca929-1a19-45e6-a3b8-435ec44a36ba

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
assignedTo StringNullable Owner of the incident, or null if no owner is assigned. Free editable text.
classification security.alertClassification The specification for the incident. The possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue.
comments security.alertComment collection Array of comments created by the Security Operations (SecOps) team when the incident is managed.
createdDateTime DateTimeOffset Time when the incident was first created.
customTags String collection Array of custom tags associated with an incident.
description StringNullable Description of the incident.
determination security.alertDetermination Specifies the determination of the incident. The possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue.
displayName StringNullable The incident name.
id String Unique identifier to represent the incident.
incidentWebUrl StringNullable The URL for the incident page in the Microsoft 365 Defender portal.
lastModifiedBy StringNullable The identity that last modified the incident.
lastUpdateDateTime DateTimeOffset Time when the incident was last updated.
priorityScore IntNullable A priority score for the incident from 0 to 100, with 85 being the top priority, 15 - 85 medium priority, and < 15 low priority. This score is generated using machine learning and is based on multiple factors, including severity, disruption impact, threat intelligence, alert types, asset criticality, threat analytics, incident rarity, and additional priority signals. The value can also be null which indicates the feature is not open for the tenant or the value of the score is pending calculation.
redirectIncidentId StringNullable Only populated in case an incident is grouped with another incident, as part of the logic that processes incidents. In such a case, the status property is redirected.
resolvingComment StringNullable User input that explains the resolution of the incident and the classification choice. This property contains free editable text.

Showing 15 of 21 properties.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.security.incident",
  "assignedTo": "String",
  "classification": "String",
  "comments": [
    {
      "@odata.type": "microsoft.graph.security.alertComment"
    }
  ],
  "createdDateTime": "String (timestamp)",
  "customTags": [
    "String"
  ],
  "description": "String",
  "determination": "String",
  "displayName": "String",
  "id": "String (identifier)",
  "incidentWebUrl": "String",
  "lastModifiedBy": "String",
  "lastUpdateDateTime": "String (timestamp)",
  "redirectIncidentId": "String",
  "resolvingComment": "String",
  "severity": "String",
  "status": "String",
  "summary": "String",
  "systemTags": [
    "String"
  ],
  "tenantId": "String",
  "priorityScore": "Int"
}

Relationships

Microsoft Graph v1.0 exact-category-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
alerts security.alert collection The list of related alerts. Supports $expand.
comments security.alertComment collection Array of comments created by the Security Operations (SecOps) team when the incident is managed.
customTags string collection Array of custom tags associated with an incident.
severity security.alertSeverity Related severity data exposed by this resource.
status security.incidentStatus Related status data exposed by this resource.
systemTags string collection The system tags associated with the incident.
recommendedHuntingQueries security.recommendedHuntingQuery collection List of hunting Kusto Query Language (KQL) queries related to the incident.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /security/incidents
GET /security/incidents/{incidentId}
POST /security/incidents/{incidentId}/comments
PATCH /security/incidents/{incidentId}
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /security/incidents
GET /security/incidents/{incidentId}
POST /security/incidents/{incidentId}/comments
PATCH /security/incidents/{incidentId}
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgSecurityIncident /security/incidents
List incidents
Get-MgSecurityIncident /security/incidents/{incidentId}
Get incident
Update-MgSecurityIncident /security/incidents/{incidentId}
Update incident
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaSecurityIncident /security/incidents
List incidents
Get-MgBetaSecurityIncident /security/incidents/{incidentId}
Get incident
Update-MgBetaSecurityIncident /security/incidents/{incidentId}
Update incident

Code Examples

C# / .NET SDK
Update incident
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models.Security;

var requestBody = new Incident
{
	Classification = AlertClassification.TruePositive,
	Determination = AlertDetermination.MultiStagedAttack,
	CustomTags = new List<string>
	{
		"Demo",
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Incidents["{incident-id}"].PatchAsync(requestBody);
JavaScript
Create comment for incident
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const alertComment = {
    '@odata.type': 'microsoft.graph.security.alertComment',
    comment: 'Demo for docs'
};

await client.api('/security/incidents/3962396/comments')
	.post(alertComment);
PowerShell
Update incident
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Security

$params = @{
	classification = "TruePositive"
	determination = "MultiStagedAttack"
	customTags = @(
	"Demo"
)
}

Update-MgSecurityIncident -IncidentId $incidentId -BodyParameter $params
Python
Update incident
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.security.incident import Incident
from msgraph.generated.models.alert_classification import AlertClassification
from msgraph.generated.models.alert_determination import AlertDetermination
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Incident(
	classification = AlertClassification.TruePositive,
	determination = AlertDetermination.MultiStagedAttack,
	custom_tags = [
		"Demo",
	],
)

result = await graph_client.security.incidents.by_incident_id('incident-id').patch(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for SecurityIncident.ReadWrite.All

4

Grant Admin Consent

Application permissions always require admin consent.