| title | Get incident API | |||
|---|---|---|---|---|
| description | Learn how to use the Get incidents API to get a single incident in Microsoft Defender XDR. | |||
| ms.service | defender-xdr | |||
| ms.author | edbaynash | |||
| author | EdB-MSFT | |||
| ms.localizationpriority | medium | |||
| manager | dansimp | |||
| audience | ITPro | |||
| ms.collection |
|
|||
| ms.topic | reference | |||
| ms.custom | api | |||
| search.appverid | met150 | |||
| ms.date | 04/15/2025 | |||
| appliesto |
|
[!INCLUDE Microsoft Defender XDR rebranding]
[!includeMicrosoft Defender for Endpoint API URIs for US Government]
[!includeImprove request performance]
Note
Try our new APIs using MS Graph security API. Find out more at: Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn.
Retrieves a specific incident by its ID
- Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.
One of the following permissions is required to call this API.
| Permission type | Permission | Permission display name |
|---|---|---|
| Application | Incident.Read.All | Read all Incidents |
| Application | Incident.ReadWrite.All | Read and write all Incidents |
| Delegated (work or school account) | Incident.Read | Read Incidents |
| Delegated (work or school account) | Incident.ReadWrite | Read and write Incidents |
Note
When obtaining a token using user credentials:
- The user needs to have at least the following role permission:
View Data - The response will only include incidents that the user is exposed to
GET .../api/incidents/{id}| Name | Type | Description |
|---|---|---|
| Authorization | String | Bearer {token}. Required. |
Empty
If successful, this method returns 200 OK, and the incident entity in the response body.
If incident with the specified ID wasn't found - 404 Not Found.
Here's an example of the request.
GET https://api.security.microsoft.com/api/incidents/{id}Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn
[!INCLUDE Microsoft Defender XDR rebranding]