Azure Sentinel Docs
Incidents

Incidents Overview

Incidents aggregate related alerts, providing a comprehensive view of a security event. Use incidents to investigate, triage, and respond to threats efficiently.

Incident ID Title Status Severity Created Owner
INC0010234 Suspicious PowerShell Execution Open High 2025-09-10 14:22 UTC Alice Johnson
INC0010189 Multiple Failed Logins Closed Medium 2025-09-09 09:15 UTC Bob Lee
INC0010125 Unusual Azure AD Application Consent Open Critical 2025-09-08 21:37 UTC Carol Smith
INC0010056 Data Exfiltration Attempt Detected Closed Critical 2025-09-07 06:42 UTC David Patel

Creating an Incident

  1. Navigate to the Alerts page.
  2. Select one or more related alerts.
  3. Click Group into Incident from the action toolbar.
  4. Provide a descriptive title and assign an owner.
  5. Save to begin investigation.

Managing Incidents via API

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2023-12-01

POST https://management.azure.com/.../incidents?api-version=2023-12-01
{
  "properties": {
    "displayName": "New Incident Title",
    "status": "New",
    "severity": "High",
    "owner": { "objectId": "user-object-id" }
  }
}