Forum Discussion
Microsoft Defender Incident – Handling incident severity change.
I am polling incidents via Microsoft Graph API every 5 minutes, initially filtering out Low/Informational incidents.
Later, some low severity incidents are updated to High/Medium severity.
Is there any built-in mechanism in Defender for tracking severity transitions?
1 Reply
Microsoft Defender XDR does not currently provide a dedicated “severity transition history” field or event specifically exposing incident severity changes over time through the standard Incidents Graph API endpoint.
In practice, when polling incidents, the recommended approach is usually to:
- Store the previous severity/state locally
- Compare subsequent API responses
- Detect changes such as:
- Low → Medium
- Medium → High
- Informational → High
A common pattern is:
- Poll all incidents updated since last execution (lastUpdateTime)
- Maintain a local cache/database of incident IDs + previous severity
- Trigger automation whenever severity changes
The important point is that Defender incidents are dynamic objects, and severity can be recalculated automatically as:
- new alerts are correlated,
- entities are enriched,
- AI correlation changes,
- analysts update classification/severity manually.
You may also want to look at:
- lastUpdateTime
- alert correlation updates
- audit/activity logs (for analyst-driven changes)
If you're using Microsoft Sentinel integrated with Defender XDR, you can additionally track incident modifications through Sentinel incident tables and analytics workflows more granularly.
