Get-MgSecurityIncident is a Microsoft Graph PowerShell cmdlet used to retrieve security incidents from Microsoft 365 Defender and related security workloads.
A security incident is a collection of correlated alerts grouped together to represent a potential attack or threat. This cmdlet allows administrators and security teams to programmatically access incident details from their tenant.
Try the M365Corner Microsoft 365 Reporting Tool â your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.
Get-MgSecurityIncident is useful for:
Instead of manually reviewing incidents in the Microsoft Defender portal, administrators can use this cmdlet to retrieve, filter, and export incident data using PowerShell.
Before running this cmdlet:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "SecurityIncident.Read.All"
You must have appropriate security roles such as Security Reader or Security Administrator.
Basic syntax:
Get-MgSecurityIncidentYou can run the cmdlet directly to retrieve incidents or use parameters like -ExpandProperty to include related objects such as alerts.
Get-MgSecurityIncidentUse this command to retrieve all available security incidents from your tenant. This is useful when you want a quick overview of incidents generated by Defender and related security products.
Get-MgSecurityIncident -ExpandProperty "alerts"This command retrieves incidents and expands the alerts relationship. This is helpful when you want to see which alerts are tied to each incident, without running separate queries.
Get-MgSecurityIncident | export-csv "d:/securityincidents.csv"This exports all incidents into a CSV file for reporting, auditing, or sharing with your security team. After export, open the CSV in Excel and filter by severity, status, or assigned analyst (depending on available properties in your tenant).
| Key Point | Details |
| Cmdlet Name | Get-MgSecurityIncident |
| Purpose | Retrieves Microsoft 365 security incidents |
| Required Scope | SecurityIncident.Read.All |
| Primary Use | Security monitoring and investigation |
| Automation Benefit | Enables programmatic incident reporting and export |
| Use Case | SOC reporting, compliance audits, threat tracking |
Did You Know? Managing Microsoft 365 applications is even easier with automation. Try our Graph PowerShell scripts to automate tasks like generating reports, cleaning up inactive Teams, or assigning licenses efficiently.
Ready to get the most out of Microsoft 365 tools? Explore our free Microsoft 365 administration tools to simplify your administrative tasks and boost productivity.
© Created and Maintained by LEARNIT WELL SOLUTIONS. All Rights Reserved.