Model: device/msgraphsecurity/Incident

Incidents

MICROSOFT

Overview

Automate provides support for Microsoft Defender for Endpoint, that addresses user devices (laptops, phones, tablets, PCs) and network devices (access points, routers, firewalls).

Note

The following entry under Global settings, Enabled Services needs to be enabled: Enable Defender for Endpoint - see: Global Settings.
For further setup and configuration, see: Microsoft Defender setup, sync and overbuild.

Dashboards

The administrator interface provides dashboards for the view and management of data:

Dashboards:: Security Management - Defender for Endpoint Overview Security Management - Defender for Endpoint Actions

Dashboards:

By default:
- The Defender for Endpoint Overview dashboard provides the administrator with counters, charts and tables showing information on alerts and devices that are visible from the administrator's hierarchy, for example the total number of alerts and status breakdowns by site, as well as an overview of device types and platforms.
- The Defender for Endpoint Actions dashboard also provides the administrator with counters on alerts and devices, as well as quick links to view and manage incident, alert and device actions.

To customize your dashboards:

See: Automate Dashboards.
Resources have been added and are available to widgets on a dashboard where Data Source is Automate Analyzed.

For example:
- Defender Actions, Shows Microsoft Defender actions, device/mssecurity/MachineAction
- Defender Alerts,Shows Microsoft Defender alerts, device/msgraphsecurity/Alert
- Defender Devices,Shows onboarded Microsoft Defender devices, device/mssecurity/Machine
- Defender Exposure Score by Device Group,Shows Microsoft Defender exposure score by device group, device/mssecurity/ExposureScoreByMachineGroups
- Defender Incidents,Shows Microsoft Defender incidents, device/msgraphsecurity/Incident
- Defender Secure Score,Shows Microsoft Defender Secure Score, device/msgraphsecurity/SecureScore

Incident and Alert Actions

Incidents

Related device model: device/msgraphsecurity/Incident

Automate provides an Incidents list view showing such headings as the incident Status and Severity at a hierarchy (Located At), and allows for the examination of the Details of an incident, including for example the Incident Web URL at security.microsoft.com.

Details example in JSON:

{
    "id": "5",
    "tenantId": "f372af60-59d5-4e03-a849-9e46a432aac0",
    "status": "redirected",
    "incidentWebUrl": "https://security.microsoft.com/incident2/5/overview?tid=...",
    "redirectIncidentId": "1",
    "displayName": "[Test Alert] Suspicious Powershell commandline",
    "createdDateTime": "2025-05-07T13:12:59.9233333Z",
    "lastUpdateDateTime": "2025-05-07T13:13:12.24Z",
    "classification": "unknown",
    "determination": "unknown",
    "severity": "informational",
    "customTags": [],
    "systemTags": [],
    "lastModifiedBy": "Microsoft 365 Defender-AlertCorrelation",
    "comments": []
}

Alerts

Related device model: device/msgraphsecurity/Alerts

Automate provides an Alerts list view showing such headings as the incident Title, Status, Severity, Description and Device at a hierarchy (Located At), and allows for the Details of an instance to be viewed and managed.

Managing an alert

Administrators can manage the following alert properties:

Status
Classification
Determination
Assigned To

Details snippet in JSON:

"category": "Execution",
"status": "resolved",
"severity": "informational",
"classification": "falsePositive",
"determination": "malware",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "microsoftDefenderForEndpoint",
"createdDateTime": "2025-05-06T14:13:19.0633333Z",
"lastUpdateDateTime": "2025-08-21T02:47:29.24Z",
"resolvedDateTime": "2025-08-21T02:47:29.17Z",
"firstActivityDateTime": "2025-05-06T14:06:51.7300174Z",
"lastActivityDateTime": "2025-05-06T21:45:13.6345713Z",
"deviceEvidence": {
...
},
"userEvidence": {
...
},
"productName": "Microsoft Defender for Endpoint",
"deviceDnsName": "windows-endpoint",
"deviceTags": [
...
],
"userAccountName": "defender-admin",
"userSid": "..."

Device Actions

View Devices

Related device model: device/mssecurity/Machine

Automate provides an View Devices list view showing such headings as the Last IP Address, Health Status, Exposure Level and Device at a hierarchy (Located At), and allows for the examination of the Details of a device.

Bulk Actions

Automate provides an interface to carry out bulk actions on devices. For Target Defender Devices, the Available and Selected transfer boxes are available to select devices accessible from a hierarchy to carry out operations in bulk:

Device Filter: by operating system - all, Windows, macOS, Linux, Android, IOS
Operation: Scan, isolate, un-isolate, offboard, restrict code execution, unrestrict code execution
Type: full, quick

Machine Action

The relation/MachineAction model is available to allow for the execution of Cancel action. (This action sends a request to device/mssecurity/MachineActionCancel.)

Model Details: device/msgraphsecurity/Incident

An asterisk * in the title indicates the field is mandatory.
If a field has a default value, it is shown in the Description column.
If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title		Details
Id		Field Name: id Type: String
Tenant ID		Field Name: tenantId Type: String
Status		Field Name: status Type: String
Incident Web URL		Field Name: incidentWebUrl Type: String
Redirect Incident ID		Field Name: redirectIncidentId Type: String
Display Name		Field Name: displayName Type: String
Created DateTime		Field Name: createdDateTime Type: String Format: date-time
Last Update DateTime		Field Name: lastUpdateDateTime Type: String Format: date-time
Assigned To		Field Name: assignedTo Type: String
Classification		Field Name: classification Type: String
Determination		Field Name: determination Type: String
Severity		Field Name: severity Type: String
	Custom Tags	Field Name: customTags.[n] Type: Array
	System Tags	Field Name: systemTags.[n] Type: Array
Description		Field Name: description Type: String
Last Modified By		Field Name: lastModifiedBy Type: String
Resolving Comment		Field Name: resolvingComment Type: String
Summary		Field Name: summary Type: String
	Comments	Field Name: comments.[n] Type: Array