1. Packages
  2. Azure Native
  3. API Docs
  4. securityinsights
  5. Incident
This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Azure Native v3.2.0 published on Monday, Apr 14, 2025 by Pulumi

azure-native.securityinsights.Incident

Explore with Pulumi AI

This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Azure Native v3.2.0 published on Monday, Apr 14, 2025 by Pulumi

Represents an incident in Azure Security Insights.

Uses Azure REST API version 2024-09-01. In version 2.x of the Azure Native provider, it used API version 2023-02-01.

Other available API versions: 2023-02-01, 2023-03-01-preview, 2023-04-01-preview, 2023-05-01-preview, 2023-06-01-preview, 2023-07-01-preview, 2023-08-01-preview, 2023-09-01-preview, 2023-10-01-preview, 2023-11-01, 2023-12-01-preview, 2024-01-01-preview, 2024-03-01, 2024-04-01-preview, 2024-10-01-preview, 2025-01-01-preview, 2025-03-01. These can be accessed by generating a local SDK package using the CLI command pulumi package add azure-native securityinsights [ApiVersion]. See the version guide for details.

Example Usage

Creates or updates an incident.

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var incident = new AzureNative.SecurityInsights.Incident("incident", new()
    {
        Classification = AzureNative.SecurityInsights.IncidentClassification.FalsePositive,
        ClassificationComment = "Not a malicious activity",
        ClassificationReason = AzureNative.SecurityInsights.IncidentClassificationReason.IncorrectAlertLogic,
        Description = "This is a demo incident",
        FirstActivityTimeUtc = "2019-01-01T13:00:30Z",
        IncidentId = "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
        LastActivityTimeUtc = "2019-01-01T13:05:30Z",
        Owner = new AzureNative.SecurityInsights.Inputs.IncidentOwnerInfoArgs
        {
            ObjectId = "2046feea-040d-4a46-9e2b-91c2941bfa70",
        },
        ResourceGroupName = "myRg",
        Severity = AzureNative.SecurityInsights.IncidentSeverity.High,
        Status = AzureNative.SecurityInsights.IncidentStatus.Closed,
        Title = "My incident",
        WorkspaceName = "myWorkspace",
    });

});
Copy
package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewIncident(ctx, "incident", &securityinsights.IncidentArgs{
			Classification:        pulumi.String(securityinsights.IncidentClassificationFalsePositive),
			ClassificationComment: pulumi.String("Not a malicious activity"),
			ClassificationReason:  pulumi.String(securityinsights.IncidentClassificationReasonIncorrectAlertLogic),
			Description:           pulumi.String("This is a demo incident"),
			FirstActivityTimeUtc:  pulumi.String("2019-01-01T13:00:30Z"),
			IncidentId:            pulumi.String("73e01a99-5cd7-4139-a149-9f2736ff2ab5"),
			LastActivityTimeUtc:   pulumi.String("2019-01-01T13:05:30Z"),
			Owner: &securityinsights.IncidentOwnerInfoArgs{
				ObjectId: pulumi.String("2046feea-040d-4a46-9e2b-91c2941bfa70"),
			},
			ResourceGroupName: pulumi.String("myRg"),
			Severity:          pulumi.String(securityinsights.IncidentSeverityHigh),
			Status:            pulumi.String(securityinsights.IncidentStatusClosed),
			Title:             pulumi.String("My incident"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.Incident;
import com.pulumi.azurenative.securityinsights.IncidentArgs;
import com.pulumi.azurenative.securityinsights.inputs.IncidentOwnerInfoArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var incident = new Incident("incident", IncidentArgs.builder()
            .classification("FalsePositive")
            .classificationComment("Not a malicious activity")
            .classificationReason("IncorrectAlertLogic")
            .description("This is a demo incident")
            .firstActivityTimeUtc("2019-01-01T13:00:30Z")
            .incidentId("73e01a99-5cd7-4139-a149-9f2736ff2ab5")
            .lastActivityTimeUtc("2019-01-01T13:05:30Z")
            .owner(IncidentOwnerInfoArgs.builder()
                .objectId("2046feea-040d-4a46-9e2b-91c2941bfa70")
                .build())
            .resourceGroupName("myRg")
            .severity("High")
            .status("Closed")
            .title("My incident")
            .workspaceName("myWorkspace")
            .build());

    }
}
Copy
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const incident = new azure_native.securityinsights.Incident("incident", {
    classification: azure_native.securityinsights.IncidentClassification.FalsePositive,
    classificationComment: "Not a malicious activity",
    classificationReason: azure_native.securityinsights.IncidentClassificationReason.IncorrectAlertLogic,
    description: "This is a demo incident",
    firstActivityTimeUtc: "2019-01-01T13:00:30Z",
    incidentId: "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
    lastActivityTimeUtc: "2019-01-01T13:05:30Z",
    owner: {
        objectId: "2046feea-040d-4a46-9e2b-91c2941bfa70",
    },
    resourceGroupName: "myRg",
    severity: azure_native.securityinsights.IncidentSeverity.High,
    status: azure_native.securityinsights.IncidentStatus.Closed,
    title: "My incident",
    workspaceName: "myWorkspace",
});
Copy
import pulumi
import pulumi_azure_native as azure_native

incident = azure_native.securityinsights.Incident("incident",
    classification=azure_native.securityinsights.IncidentClassification.FALSE_POSITIVE,
    classification_comment="Not a malicious activity",
    classification_reason=azure_native.securityinsights.IncidentClassificationReason.INCORRECT_ALERT_LOGIC,
    description="This is a demo incident",
    first_activity_time_utc="2019-01-01T13:00:30Z",
    incident_id="73e01a99-5cd7-4139-a149-9f2736ff2ab5",
    last_activity_time_utc="2019-01-01T13:05:30Z",
    owner={
        "object_id": "2046feea-040d-4a46-9e2b-91c2941bfa70",
    },
    resource_group_name="myRg",
    severity=azure_native.securityinsights.IncidentSeverity.HIGH,
    status=azure_native.securityinsights.IncidentStatus.CLOSED,
    title="My incident",
    workspace_name="myWorkspace")
Copy
resources:
  incident:
    type: azure-native:securityinsights:Incident
    properties:
      classification: FalsePositive
      classificationComment: Not a malicious activity
      classificationReason: IncorrectAlertLogic
      description: This is a demo incident
      firstActivityTimeUtc: 2019-01-01T13:00:30Z
      incidentId: 73e01a99-5cd7-4139-a149-9f2736ff2ab5
      lastActivityTimeUtc: 2019-01-01T13:05:30Z
      owner:
        objectId: 2046feea-040d-4a46-9e2b-91c2941bfa70
      resourceGroupName: myRg
      severity: High
      status: Closed
      title: My incident
      workspaceName: myWorkspace
Copy

Create Incident Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Incident(name: string, args: IncidentArgs, opts?: CustomResourceOptions);
@overload
def Incident(resource_name: str,
             args: IncidentArgs,
             opts: Optional[ResourceOptions] = None)

@overload
def Incident(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             resource_group_name: Optional[str] = None,
             workspace_name: Optional[str] = None,
             title: Optional[str] = None,
             status: Optional[Union[str, IncidentStatus]] = None,
             severity: Optional[Union[str, IncidentSeverity]] = None,
             description: Optional[str] = None,
             labels: Optional[Sequence[IncidentLabelArgs]] = None,
             last_activity_time_utc: Optional[str] = None,
             owner: Optional[IncidentOwnerInfoArgs] = None,
             incident_id: Optional[str] = None,
             first_activity_time_utc: Optional[str] = None,
             classification: Optional[Union[str, IncidentClassification]] = None,
             classification_reason: Optional[Union[str, IncidentClassificationReason]] = None,
             classification_comment: Optional[str] = None)
func NewIncident(ctx *Context, name string, args IncidentArgs, opts ...ResourceOption) (*Incident, error)
public Incident(string name, IncidentArgs args, CustomResourceOptions? opts = null)
public Incident(String name, IncidentArgs args)
public Incident(String name, IncidentArgs args, CustomResourceOptions options)
type: azure-native:securityinsights:Incident
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. IncidentArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. IncidentArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. IncidentArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. IncidentArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. IncidentArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var incidentResource = new AzureNative.SecurityInsights.Incident("incidentResource", new()
{
    ResourceGroupName = "string",
    WorkspaceName = "string",
    Title = "string",
    Status = "string",
    Severity = "string",
    Description = "string",
    Labels = new[]
    {
        new AzureNative.SecurityInsights.Inputs.IncidentLabelArgs
        {
            LabelName = "string",
        },
    },
    LastActivityTimeUtc = "string",
    Owner = new AzureNative.SecurityInsights.Inputs.IncidentOwnerInfoArgs
    {
        AssignedTo = "string",
        Email = "string",
        ObjectId = "string",
        OwnerType = "string",
        UserPrincipalName = "string",
    },
    IncidentId = "string",
    FirstActivityTimeUtc = "string",
    Classification = "string",
    ClassificationReason = "string",
    ClassificationComment = "string",
});
Copy
example, err := securityinsights.NewIncident(ctx, "incidentResource", &securityinsights.IncidentArgs{
	ResourceGroupName: pulumi.String("string"),
	WorkspaceName:     pulumi.String("string"),
	Title:             pulumi.String("string"),
	Status:            pulumi.String("string"),
	Severity:          pulumi.String("string"),
	Description:       pulumi.String("string"),
	Labels: securityinsights.IncidentLabelArray{
		&securityinsights.IncidentLabelArgs{
			LabelName: pulumi.String("string"),
		},
	},
	LastActivityTimeUtc: pulumi.String("string"),
	Owner: &securityinsights.IncidentOwnerInfoArgs{
		AssignedTo:        pulumi.String("string"),
		Email:             pulumi.String("string"),
		ObjectId:          pulumi.String("string"),
		OwnerType:         pulumi.String("string"),
		UserPrincipalName: pulumi.String("string"),
	},
	IncidentId:            pulumi.String("string"),
	FirstActivityTimeUtc:  pulumi.String("string"),
	Classification:        pulumi.String("string"),
	ClassificationReason:  pulumi.String("string"),
	ClassificationComment: pulumi.String("string"),
})
Copy
var incidentResource = new Incident("incidentResource", IncidentArgs.builder()
    .resourceGroupName("string")
    .workspaceName("string")
    .title("string")
    .status("string")
    .severity("string")
    .description("string")
    .labels(IncidentLabelArgs.builder()
        .labelName("string")
        .build())
    .lastActivityTimeUtc("string")
    .owner(IncidentOwnerInfoArgs.builder()
        .assignedTo("string")
        .email("string")
        .objectId("string")
        .ownerType("string")
        .userPrincipalName("string")
        .build())
    .incidentId("string")
    .firstActivityTimeUtc("string")
    .classification("string")
    .classificationReason("string")
    .classificationComment("string")
    .build());
Copy
incident_resource = azure_native.securityinsights.Incident("incidentResource",
    resource_group_name="string",
    workspace_name="string",
    title="string",
    status="string",
    severity="string",
    description="string",
    labels=[{
        "label_name": "string",
    }],
    last_activity_time_utc="string",
    owner={
        "assigned_to": "string",
        "email": "string",
        "object_id": "string",
        "owner_type": "string",
        "user_principal_name": "string",
    },
    incident_id="string",
    first_activity_time_utc="string",
    classification="string",
    classification_reason="string",
    classification_comment="string")
Copy
const incidentResource = new azure_native.securityinsights.Incident("incidentResource", {
    resourceGroupName: "string",
    workspaceName: "string",
    title: "string",
    status: "string",
    severity: "string",
    description: "string",
    labels: [{
        labelName: "string",
    }],
    lastActivityTimeUtc: "string",
    owner: {
        assignedTo: "string",
        email: "string",
        objectId: "string",
        ownerType: "string",
        userPrincipalName: "string",
    },
    incidentId: "string",
    firstActivityTimeUtc: "string",
    classification: "string",
    classificationReason: "string",
    classificationComment: "string",
});
Copy
type: azure-native:securityinsights:Incident
properties:
    classification: string
    classificationComment: string
    classificationReason: string
    description: string
    firstActivityTimeUtc: string
    incidentId: string
    labels:
        - labelName: string
    lastActivityTimeUtc: string
    owner:
        assignedTo: string
        email: string
        objectId: string
        ownerType: string
        userPrincipalName: string
    resourceGroupName: string
    severity: string
    status: string
    title: string
    workspaceName: string
Copy

Incident Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Incident resource accepts the following input properties:

ResourceGroupName
This property is required.
Changes to this property will trigger replacement.
string
The name of the resource group. The name is case insensitive.
Severity This property is required. string | Pulumi.AzureNative.SecurityInsights.IncidentSeverity
The severity of the incident
Status This property is required. string | Pulumi.AzureNative.SecurityInsights.IncidentStatus
The status of the incident
Title This property is required. string
The title of the incident
WorkspaceName
This property is required.
Changes to this property will trigger replacement.
string
The name of the workspace.
Classification string | Pulumi.AzureNative.SecurityInsights.IncidentClassification
The reason the incident was closed
ClassificationComment string
Describes the reason the incident was closed
ClassificationReason string | Pulumi.AzureNative.SecurityInsights.IncidentClassificationReason
The classification reason the incident was closed with
Description string
The description of the incident
FirstActivityTimeUtc string
The time of the first activity in the incident
IncidentId Changes to this property will trigger replacement. string
Incident ID
Labels List<Pulumi.AzureNative.SecurityInsights.Inputs.IncidentLabel>
List of labels relevant to this incident
LastActivityTimeUtc string
The time of the last activity in the incident
Owner Pulumi.AzureNative.SecurityInsights.Inputs.IncidentOwnerInfo
Describes a user that the incident is assigned to
ResourceGroupName
This property is required.
Changes to this property will trigger replacement.
string
The name of the resource group. The name is case insensitive.
Severity This property is required. string | IncidentSeverity
The severity of the incident
Status This property is required. string | IncidentStatus
The status of the incident
Title This property is required. string
The title of the incident
WorkspaceName
This property is required.
Changes to this property will trigger replacement.
string
The name of the workspace.
Classification string | IncidentClassification
The reason the incident was closed
ClassificationComment string
Describes the reason the incident was closed
ClassificationReason string | IncidentClassificationReason
The classification reason the incident was closed with
Description string
The description of the incident
FirstActivityTimeUtc string
The time of the first activity in the incident
IncidentId Changes to this property will trigger replacement. string
Incident ID
Labels []IncidentLabelArgs
List of labels relevant to this incident
LastActivityTimeUtc string
The time of the last activity in the incident
Owner IncidentOwnerInfoArgs
Describes a user that the incident is assigned to
resourceGroupName
This property is required.
Changes to this property will trigger replacement.
String
The name of the resource group. The name is case insensitive.
severity This property is required. String | IncidentSeverity
The severity of the incident
status This property is required. String | IncidentStatus
The status of the incident
title This property is required. String
The title of the incident
workspaceName
This property is required.
Changes to this property will trigger replacement.
String
The name of the workspace.
classification String | IncidentClassification
The reason the incident was closed
classificationComment String
Describes the reason the incident was closed
classificationReason String | IncidentClassificationReason
The classification reason the incident was closed with
description String
The description of the incident
firstActivityTimeUtc String
The time of the first activity in the incident
incidentId Changes to this property will trigger replacement. String
Incident ID
labels List<IncidentLabel>
List of labels relevant to this incident
lastActivityTimeUtc String
The time of the last activity in the incident
owner IncidentOwnerInfo
Describes a user that the incident is assigned to
resourceGroupName
This property is required.
Changes to this property will trigger replacement.
string
The name of the resource group. The name is case insensitive.
severity This property is required. string | IncidentSeverity
The severity of the incident
status This property is required. string | IncidentStatus
The status of the incident
title This property is required. string
The title of the incident
workspaceName
This property is required.
Changes to this property will trigger replacement.
string
The name of the workspace.
classification string | IncidentClassification
The reason the incident was closed
classificationComment string
Describes the reason the incident was closed
classificationReason string | IncidentClassificationReason
The classification reason the incident was closed with
description string
The description of the incident
firstActivityTimeUtc string
The time of the first activity in the incident
incidentId Changes to this property will trigger replacement. string
Incident ID
labels IncidentLabel[]
List of labels relevant to this incident
lastActivityTimeUtc string
The time of the last activity in the incident
owner IncidentOwnerInfo
Describes a user that the incident is assigned to
resource_group_name
This property is required.
Changes to this property will trigger replacement.
str
The name of the resource group. The name is case insensitive.
severity This property is required. str | IncidentSeverity
The severity of the incident
status This property is required. str | IncidentStatus
The status of the incident
title This property is required. str
The title of the incident
workspace_name
This property is required.
Changes to this property will trigger replacement.
str
The name of the workspace.
classification str | IncidentClassification
The reason the incident was closed
classification_comment str
Describes the reason the incident was closed
classification_reason str | IncidentClassificationReason
The classification reason the incident was closed with
description str
The description of the incident
first_activity_time_utc str
The time of the first activity in the incident
incident_id Changes to this property will trigger replacement. str
Incident ID
labels Sequence[IncidentLabelArgs]
List of labels relevant to this incident
last_activity_time_utc str
The time of the last activity in the incident
owner IncidentOwnerInfoArgs
Describes a user that the incident is assigned to
resourceGroupName
This property is required.
Changes to this property will trigger replacement.
String
The name of the resource group. The name is case insensitive.
severity This property is required. String | "High" | "Medium" | "Low" | "Informational"
The severity of the incident
status This property is required. String | "New" | "Active" | "Closed"
The status of the incident
title This property is required. String
The title of the incident
workspaceName
This property is required.
Changes to this property will trigger replacement.
String
The name of the workspace.
classification String | "Undetermined" | "TruePositive" | "BenignPositive" | "FalsePositive"
The reason the incident was closed
classificationComment String
Describes the reason the incident was closed
classificationReason String | "SuspiciousActivity" | "SuspiciousButExpected" | "IncorrectAlertLogic" | "InaccurateData"
The classification reason the incident was closed with
description String
The description of the incident
firstActivityTimeUtc String
The time of the first activity in the incident
incidentId Changes to this property will trigger replacement. String
Incident ID
labels List<Property Map>
List of labels relevant to this incident
lastActivityTimeUtc String
The time of the last activity in the incident
owner Property Map
Describes a user that the incident is assigned to

Outputs

All input properties are implicitly available as output properties. Additionally, the Incident resource produces the following output properties:

AdditionalData Pulumi.AzureNative.SecurityInsights.Outputs.IncidentAdditionalDataResponse
Additional data on the incident
AzureApiVersion string
The Azure API version of the resource.
CreatedTimeUtc string
The time the incident was created
Id string
The provider-assigned unique ID for this managed resource.
IncidentNumber int
A sequential number
IncidentUrl string
The deep-link url to the incident in Azure portal
LastModifiedTimeUtc string
The last time the incident was updated
Name string
The name of the resource
ProviderIncidentId string
The incident ID assigned by the incident provider
ProviderName string
The name of the source provider that generated the incident
RelatedAnalyticRuleIds List<string>
List of resource ids of Analytic rules related to the incident
SystemData Pulumi.AzureNative.SecurityInsights.Outputs.SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
Etag string
Etag of the azure resource
AdditionalData IncidentAdditionalDataResponse
Additional data on the incident
AzureApiVersion string
The Azure API version of the resource.
CreatedTimeUtc string
The time the incident was created
Id string
The provider-assigned unique ID for this managed resource.
IncidentNumber int
A sequential number
IncidentUrl string
The deep-link url to the incident in Azure portal
LastModifiedTimeUtc string
The last time the incident was updated
Name string
The name of the resource
ProviderIncidentId string
The incident ID assigned by the incident provider
ProviderName string
The name of the source provider that generated the incident
RelatedAnalyticRuleIds []string
List of resource ids of Analytic rules related to the incident
SystemData SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
Type string
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
Etag string
Etag of the azure resource
additionalData IncidentAdditionalDataResponse
Additional data on the incident
azureApiVersion String
The Azure API version of the resource.
createdTimeUtc String
The time the incident was created
id String
The provider-assigned unique ID for this managed resource.
incidentNumber Integer
A sequential number
incidentUrl String
The deep-link url to the incident in Azure portal
lastModifiedTimeUtc String
The last time the incident was updated
name String
The name of the resource
providerIncidentId String
The incident ID assigned by the incident provider
providerName String
The name of the source provider that generated the incident
relatedAnalyticRuleIds List<String>
List of resource ids of Analytic rules related to the incident
systemData SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag String
Etag of the azure resource
additionalData IncidentAdditionalDataResponse
Additional data on the incident
azureApiVersion string
The Azure API version of the resource.
createdTimeUtc string
The time the incident was created
id string
The provider-assigned unique ID for this managed resource.
incidentNumber number
A sequential number
incidentUrl string
The deep-link url to the incident in Azure portal
lastModifiedTimeUtc string
The last time the incident was updated
name string
The name of the resource
providerIncidentId string
The incident ID assigned by the incident provider
providerName string
The name of the source provider that generated the incident
relatedAnalyticRuleIds string[]
List of resource ids of Analytic rules related to the incident
systemData SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
type string
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag string
Etag of the azure resource
additional_data IncidentAdditionalDataResponse
Additional data on the incident
azure_api_version str
The Azure API version of the resource.
created_time_utc str
The time the incident was created
id str
The provider-assigned unique ID for this managed resource.
incident_number int
A sequential number
incident_url str
The deep-link url to the incident in Azure portal
last_modified_time_utc str
The last time the incident was updated
name str
The name of the resource
provider_incident_id str
The incident ID assigned by the incident provider
provider_name str
The name of the source provider that generated the incident
related_analytic_rule_ids Sequence[str]
List of resource ids of Analytic rules related to the incident
system_data SystemDataResponse
Azure Resource Manager metadata containing createdBy and modifiedBy information.
type str
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag str
Etag of the azure resource
additionalData Property Map
Additional data on the incident
azureApiVersion String
The Azure API version of the resource.
createdTimeUtc String
The time the incident was created
id String
The provider-assigned unique ID for this managed resource.
incidentNumber Number
A sequential number
incidentUrl String
The deep-link url to the incident in Azure portal
lastModifiedTimeUtc String
The last time the incident was updated
name String
The name of the resource
providerIncidentId String
The incident ID assigned by the incident provider
providerName String
The name of the source provider that generated the incident
relatedAnalyticRuleIds List<String>
List of resource ids of Analytic rules related to the incident
systemData Property Map
Azure Resource Manager metadata containing createdBy and modifiedBy information.
type String
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
etag String
Etag of the azure resource

Supporting Types

IncidentAdditionalDataResponse
, IncidentAdditionalDataResponseArgs

AlertProductNames This property is required. List<string>
List of product names of alerts in the incident
AlertsCount This property is required. int
The number of alerts in the incident
BookmarksCount This property is required. int
The number of bookmarks in the incident
CommentsCount This property is required. int
The number of comments in the incident
ProviderIncidentUrl This property is required. string
The provider incident url to the incident in Microsoft 365 Defender portal
Tactics This property is required. List<string>
The tactics associated with incident
AlertProductNames This property is required. []string
List of product names of alerts in the incident
AlertsCount This property is required. int
The number of alerts in the incident
BookmarksCount This property is required. int
The number of bookmarks in the incident
CommentsCount This property is required. int
The number of comments in the incident
ProviderIncidentUrl This property is required. string
The provider incident url to the incident in Microsoft 365 Defender portal
Tactics This property is required. []string
The tactics associated with incident
alertProductNames This property is required. List<String>
List of product names of alerts in the incident
alertsCount This property is required. Integer
The number of alerts in the incident
bookmarksCount This property is required. Integer
The number of bookmarks in the incident
commentsCount This property is required. Integer
The number of comments in the incident
providerIncidentUrl This property is required. String
The provider incident url to the incident in Microsoft 365 Defender portal
tactics This property is required. List<String>
The tactics associated with incident
alertProductNames This property is required. string[]
List of product names of alerts in the incident
alertsCount This property is required. number
The number of alerts in the incident
bookmarksCount This property is required. number
The number of bookmarks in the incident
commentsCount This property is required. number
The number of comments in the incident
providerIncidentUrl This property is required. string
The provider incident url to the incident in Microsoft 365 Defender portal
tactics This property is required. string[]
The tactics associated with incident
alert_product_names This property is required. Sequence[str]
List of product names of alerts in the incident
alerts_count This property is required. int
The number of alerts in the incident
bookmarks_count This property is required. int
The number of bookmarks in the incident
comments_count This property is required. int
The number of comments in the incident
provider_incident_url This property is required. str
The provider incident url to the incident in Microsoft 365 Defender portal
tactics This property is required. Sequence[str]
The tactics associated with incident
alertProductNames This property is required. List<String>
List of product names of alerts in the incident
alertsCount This property is required. Number
The number of alerts in the incident
bookmarksCount This property is required. Number
The number of bookmarks in the incident
commentsCount This property is required. Number
The number of comments in the incident
providerIncidentUrl This property is required. String
The provider incident url to the incident in Microsoft 365 Defender portal
tactics This property is required. List<String>
The tactics associated with incident

IncidentClassification
, IncidentClassificationArgs

Undetermined
UndeterminedIncident classification was undetermined
TruePositive
TruePositiveIncident was true positive
BenignPositive
BenignPositiveIncident was benign positive
FalsePositive
FalsePositiveIncident was false positive
IncidentClassificationUndetermined
UndeterminedIncident classification was undetermined
IncidentClassificationTruePositive
TruePositiveIncident was true positive
IncidentClassificationBenignPositive
BenignPositiveIncident was benign positive
IncidentClassificationFalsePositive
FalsePositiveIncident was false positive
Undetermined
UndeterminedIncident classification was undetermined
TruePositive
TruePositiveIncident was true positive
BenignPositive
BenignPositiveIncident was benign positive
FalsePositive
FalsePositiveIncident was false positive
Undetermined
UndeterminedIncident classification was undetermined
TruePositive
TruePositiveIncident was true positive
BenignPositive
BenignPositiveIncident was benign positive
FalsePositive
FalsePositiveIncident was false positive
UNDETERMINED
UndeterminedIncident classification was undetermined
TRUE_POSITIVE
TruePositiveIncident was true positive
BENIGN_POSITIVE
BenignPositiveIncident was benign positive
FALSE_POSITIVE
FalsePositiveIncident was false positive
"Undetermined"
UndeterminedIncident classification was undetermined
"TruePositive"
TruePositiveIncident was true positive
"BenignPositive"
BenignPositiveIncident was benign positive
"FalsePositive"
FalsePositiveIncident was false positive

IncidentClassificationReason
, IncidentClassificationReasonArgs

SuspiciousActivity
SuspiciousActivityClassification reason was suspicious activity
SuspiciousButExpected
SuspiciousButExpectedClassification reason was suspicious but expected
IncorrectAlertLogic
IncorrectAlertLogicClassification reason was incorrect alert logic
InaccurateData
InaccurateDataClassification reason was inaccurate data
IncidentClassificationReasonSuspiciousActivity
SuspiciousActivityClassification reason was suspicious activity
IncidentClassificationReasonSuspiciousButExpected
SuspiciousButExpectedClassification reason was suspicious but expected
IncidentClassificationReasonIncorrectAlertLogic
IncorrectAlertLogicClassification reason was incorrect alert logic
IncidentClassificationReasonInaccurateData
InaccurateDataClassification reason was inaccurate data
SuspiciousActivity
SuspiciousActivityClassification reason was suspicious activity
SuspiciousButExpected
SuspiciousButExpectedClassification reason was suspicious but expected
IncorrectAlertLogic
IncorrectAlertLogicClassification reason was incorrect alert logic
InaccurateData
InaccurateDataClassification reason was inaccurate data
SuspiciousActivity
SuspiciousActivityClassification reason was suspicious activity
SuspiciousButExpected
SuspiciousButExpectedClassification reason was suspicious but expected
IncorrectAlertLogic
IncorrectAlertLogicClassification reason was incorrect alert logic
InaccurateData
InaccurateDataClassification reason was inaccurate data
SUSPICIOUS_ACTIVITY
SuspiciousActivityClassification reason was suspicious activity
SUSPICIOUS_BUT_EXPECTED
SuspiciousButExpectedClassification reason was suspicious but expected
INCORRECT_ALERT_LOGIC
IncorrectAlertLogicClassification reason was incorrect alert logic
INACCURATE_DATA
InaccurateDataClassification reason was inaccurate data
"SuspiciousActivity"
SuspiciousActivityClassification reason was suspicious activity
"SuspiciousButExpected"
SuspiciousButExpectedClassification reason was suspicious but expected
"IncorrectAlertLogic"
IncorrectAlertLogicClassification reason was incorrect alert logic
"InaccurateData"
InaccurateDataClassification reason was inaccurate data

IncidentLabel
, IncidentLabelArgs

LabelName This property is required. string
The name of the label
LabelName This property is required. string
The name of the label
labelName This property is required. String
The name of the label
labelName This property is required. string
The name of the label
label_name This property is required. str
The name of the label
labelName This property is required. String
The name of the label

IncidentLabelResponse
, IncidentLabelResponseArgs

LabelName This property is required. string
The name of the label
LabelType This property is required. string
The type of the label
LabelName This property is required. string
The name of the label
LabelType This property is required. string
The type of the label
labelName This property is required. String
The name of the label
labelType This property is required. String
The type of the label
labelName This property is required. string
The name of the label
labelType This property is required. string
The type of the label
label_name This property is required. str
The name of the label
label_type This property is required. str
The type of the label
labelName This property is required. String
The name of the label
labelType This property is required. String
The type of the label

IncidentOwnerInfo
, IncidentOwnerInfoArgs

AssignedTo string
The name of the user the incident is assigned to.
Email string
The email of the user the incident is assigned to.
ObjectId string
The object id of the user the incident is assigned to.
OwnerType string | Pulumi.AzureNative.SecurityInsights.OwnerType
The type of the owner the incident is assigned to.
UserPrincipalName string
The user principal name of the user the incident is assigned to.
AssignedTo string
The name of the user the incident is assigned to.
Email string
The email of the user the incident is assigned to.
ObjectId string
The object id of the user the incident is assigned to.
OwnerType string | OwnerType
The type of the owner the incident is assigned to.
UserPrincipalName string
The user principal name of the user the incident is assigned to.
assignedTo String
The name of the user the incident is assigned to.
email String
The email of the user the incident is assigned to.
objectId String
The object id of the user the incident is assigned to.
ownerType String | OwnerType
The type of the owner the incident is assigned to.
userPrincipalName String
The user principal name of the user the incident is assigned to.
assignedTo string
The name of the user the incident is assigned to.
email string
The email of the user the incident is assigned to.
objectId string
The object id of the user the incident is assigned to.
ownerType string | OwnerType
The type of the owner the incident is assigned to.
userPrincipalName string
The user principal name of the user the incident is assigned to.
assigned_to str
The name of the user the incident is assigned to.
email str
The email of the user the incident is assigned to.
object_id str
The object id of the user the incident is assigned to.
owner_type str | OwnerType
The type of the owner the incident is assigned to.
user_principal_name str
The user principal name of the user the incident is assigned to.
assignedTo String
The name of the user the incident is assigned to.
email String
The email of the user the incident is assigned to.
objectId String
The object id of the user the incident is assigned to.
ownerType String | "Unknown" | "User" | "Group"
The type of the owner the incident is assigned to.
userPrincipalName String
The user principal name of the user the incident is assigned to.

IncidentOwnerInfoResponse
, IncidentOwnerInfoResponseArgs

AssignedTo string
The name of the user the incident is assigned to.
Email string
The email of the user the incident is assigned to.
ObjectId string
The object id of the user the incident is assigned to.
OwnerType string
The type of the owner the incident is assigned to.
UserPrincipalName string
The user principal name of the user the incident is assigned to.
AssignedTo string
The name of the user the incident is assigned to.
Email string
The email of the user the incident is assigned to.
ObjectId string
The object id of the user the incident is assigned to.
OwnerType string
The type of the owner the incident is assigned to.
UserPrincipalName string
The user principal name of the user the incident is assigned to.
assignedTo String
The name of the user the incident is assigned to.
email String
The email of the user the incident is assigned to.
objectId String
The object id of the user the incident is assigned to.
ownerType String
The type of the owner the incident is assigned to.
userPrincipalName String
The user principal name of the user the incident is assigned to.
assignedTo string
The name of the user the incident is assigned to.
email string
The email of the user the incident is assigned to.
objectId string
The object id of the user the incident is assigned to.
ownerType string
The type of the owner the incident is assigned to.
userPrincipalName string
The user principal name of the user the incident is assigned to.
assigned_to str
The name of the user the incident is assigned to.
email str
The email of the user the incident is assigned to.
object_id str
The object id of the user the incident is assigned to.
owner_type str
The type of the owner the incident is assigned to.
user_principal_name str
The user principal name of the user the incident is assigned to.
assignedTo String
The name of the user the incident is assigned to.
email String
The email of the user the incident is assigned to.
objectId String
The object id of the user the incident is assigned to.
ownerType String
The type of the owner the incident is assigned to.
userPrincipalName String
The user principal name of the user the incident is assigned to.

IncidentSeverity
, IncidentSeverityArgs

High
HighHigh severity
Medium
MediumMedium severity
Low
LowLow severity
Informational
InformationalInformational severity
IncidentSeverityHigh
HighHigh severity
IncidentSeverityMedium
MediumMedium severity
IncidentSeverityLow
LowLow severity
IncidentSeverityInformational
InformationalInformational severity
High
HighHigh severity
Medium
MediumMedium severity
Low
LowLow severity
Informational
InformationalInformational severity
High
HighHigh severity
Medium
MediumMedium severity
Low
LowLow severity
Informational
InformationalInformational severity
HIGH
HighHigh severity
MEDIUM
MediumMedium severity
LOW
LowLow severity
INFORMATIONAL
InformationalInformational severity
"High"
HighHigh severity
"Medium"
MediumMedium severity
"Low"
LowLow severity
"Informational"
InformationalInformational severity

IncidentStatus
, IncidentStatusArgs

New
NewAn active incident which isn't being handled currently
Active
ActiveAn active incident which is being handled
Closed
ClosedA non-active incident
IncidentStatusNew
NewAn active incident which isn't being handled currently
IncidentStatusActive
ActiveAn active incident which is being handled
IncidentStatusClosed
ClosedA non-active incident
New
NewAn active incident which isn't being handled currently
Active
ActiveAn active incident which is being handled
Closed
ClosedA non-active incident
New
NewAn active incident which isn't being handled currently
Active
ActiveAn active incident which is being handled
Closed
ClosedA non-active incident
NEW
NewAn active incident which isn't being handled currently
ACTIVE
ActiveAn active incident which is being handled
CLOSED
ClosedA non-active incident
"New"
NewAn active incident which isn't being handled currently
"Active"
ActiveAn active incident which is being handled
"Closed"
ClosedA non-active incident

OwnerType
, OwnerTypeArgs

Unknown
UnknownThe incident owner type is unknown
User
UserThe incident owner type is an AAD user
Group
GroupThe incident owner type is an AAD group
OwnerTypeUnknown
UnknownThe incident owner type is unknown
OwnerTypeUser
UserThe incident owner type is an AAD user
OwnerTypeGroup
GroupThe incident owner type is an AAD group
Unknown
UnknownThe incident owner type is unknown
User
UserThe incident owner type is an AAD user
Group
GroupThe incident owner type is an AAD group
Unknown
UnknownThe incident owner type is unknown
User
UserThe incident owner type is an AAD user
Group
GroupThe incident owner type is an AAD group
UNKNOWN
UnknownThe incident owner type is unknown
USER
UserThe incident owner type is an AAD user
GROUP
GroupThe incident owner type is an AAD group
"Unknown"
UnknownThe incident owner type is unknown
"User"
UserThe incident owner type is an AAD user
"Group"
GroupThe incident owner type is an AAD group

SystemDataResponse
, SystemDataResponseArgs

CreatedAt string
The timestamp of resource creation (UTC).
CreatedBy string
The identity that created the resource.
CreatedByType string
The type of identity that created the resource.
LastModifiedAt string
The timestamp of resource last modification (UTC)
LastModifiedBy string
The identity that last modified the resource.
LastModifiedByType string
The type of identity that last modified the resource.
CreatedAt string
The timestamp of resource creation (UTC).
CreatedBy string
The identity that created the resource.
CreatedByType string
The type of identity that created the resource.
LastModifiedAt string
The timestamp of resource last modification (UTC)
LastModifiedBy string
The identity that last modified the resource.
LastModifiedByType string
The type of identity that last modified the resource.
createdAt String
The timestamp of resource creation (UTC).
createdBy String
The identity that created the resource.
createdByType String
The type of identity that created the resource.
lastModifiedAt String
The timestamp of resource last modification (UTC)
lastModifiedBy String
The identity that last modified the resource.
lastModifiedByType String
The type of identity that last modified the resource.
createdAt string
The timestamp of resource creation (UTC).
createdBy string
The identity that created the resource.
createdByType string
The type of identity that created the resource.
lastModifiedAt string
The timestamp of resource last modification (UTC)
lastModifiedBy string
The identity that last modified the resource.
lastModifiedByType string
The type of identity that last modified the resource.
created_at str
The timestamp of resource creation (UTC).
created_by str
The identity that created the resource.
created_by_type str
The type of identity that created the resource.
last_modified_at str
The timestamp of resource last modification (UTC)
last_modified_by str
The identity that last modified the resource.
last_modified_by_type str
The type of identity that last modified the resource.
createdAt String
The timestamp of resource creation (UTC).
createdBy String
The identity that created the resource.
createdByType String
The type of identity that created the resource.
lastModifiedAt String
The timestamp of resource last modification (UTC)
lastModifiedBy String
The identity that last modified the resource.
lastModifiedByType String
The type of identity that last modified the resource.

Import

An existing resource can be imported using its type token, name, and identifier, e.g.

$ pulumi import azure-native:securityinsights:Incident 73e01a99-5cd7-4139-a149-9f2736ff2ab5 /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId} 
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Azure Native pulumi/pulumi-azure-native
License
Apache-2.0
This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Azure Native v3.2.0 published on Monday, Apr 14, 2025 by Pulumi