Auto Close Low Priority Score Incidents
Query
{
"definition": {
"metadata": {
"notes": {}
},
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"triggers": {
"Recurrence": {
"type": "Recurrence",
"recurrence": {
"frequency": "Minute",
"interval": 5,
"timeZone": "W. Europe Standard Time"
}
}
},
"actions": {
"HTTP": {
"type": "Http",
"inputs": {
"uri": "https://graph.microsoft.com/v1.0/security/incidents",
"method": "GET",
"queries": {
"$filter": "status eq 'Active'"
},
"authentication": {
"type": "ManagedServiceIdentity",
"audience": "https://graph.microsoft.com"
}
},
"runAfter": {},
"runtimeConfiguration": {
"contentTransfer": {
"transferMode": "Chunked"
}
}
},
"Initialize_Variable_ExcludedTitleKeywords": {
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "excludedTitleKeywords",
"type": "Array",
"value": [
"Anomalous Token usage",
"demo",
"false positive"
]
}
]
},
"runAfter": {
"HTTP": [
"Succeeded"
]
}
},
"For_each": {
"type": "Foreach",
"foreach": "@body('HTTP')['value']",
"actions": {
"Filter_Excluded_Titles": {
"type": "Query",
"inputs": {
"from": "@variables('excludedTitleKeywords')",
"where": "@contains(toLower(items('For_each')?['displayName']), toLower(item()))"
}
},
"Condition_Title_Not_Excluded": {
"type": "If",
"expression": {
"equals": [
"@length(body('Filter_Excluded_Titles'))",
0
]
},
"actions": {
"Condition_PriorityScore_below_25": {
"type": "If",
"expression": {
"and": [
{
"not": {
"equals": [
"@item()?['priorityScore']",
null
]
}
},
{
"less": [
"@item()?['priorityScore']",
25
]
}
]
},
"actions": {
"HTTP_PATCH_Close_Incident": {
"type": "Http",
"inputs": {
"uri": "https://graph.microsoft.com/v1.0/security/incidents/@{item()?['id']}",
"method": "PATCH",
"headers": {
"Content-Type": "application/json"
},
"body": {
"status": "resolved",
"resolvingComment": "Auto-closed: priorityScore below threshold (25)",
"customTags": "@union(item()?['customTags'], createArray('LowPrioScore'))"
},
"authentication": {
"type": "ManagedServiceIdentity",
"audience": "https://graph.microsoft.com"
}
}
}
},
"else": {
"actions": {}
}
}
},
"else": {
"actions": {}
},
"runAfter": {
"Filter_Excluded_Titles": [
"Succeeded"
]
}
}
},
"runAfter": {
"Initialize_Variable_ExcludedTitleKeywords": [
"Succeeded"
]
}
}
},
"outputs": {},
"parameters": {
"$connections": {
"type": "Object",
"defaultValue": {}
}
}
},
"parameters": {
"$connections": {
"type": "Object",
"value": {}
}
}
}About this query
Description
Azure Logic App to automatically close low-priority Microsoft Defender incidents based on the Priority Score. Incidents below a configurable threshold are resolved via Microsoft Graph API, reducing SOC noise and alert fatigue while preserving traceability through custom tags.
Link to Full Article: https://www.linkedin.com/pulse/use-microsoft-defender-priority-score-reduce-noise-benjamin-zulliger-ja3re/
Explanation
This query is part of an Azure Logic App workflow designed to automatically manage Microsoft Defender incidents. Here's a simplified explanation of what it does:
-
Trigger: The workflow is set to run every 5 minutes.
-
Fetch Incidents: It retrieves all active security incidents from Microsoft Defender using the Microsoft Graph API.
-
Exclude Certain Incidents: It initializes a list of keywords (e.g., "Anomalous Token usage", "demo", "false positive") to exclude certain incidents based on their titles.
-
Filter Incidents: For each incident, it checks if the title contains any of the excluded keywords. If it does, the incident is ignored.
-
Check Priority Score: For incidents not excluded by title, it checks if the priority score is below 25.
-
Close Low-Priority Incidents: If an incident's priority score is below 25, it automatically closes the incident by updating its status to "resolved" and adds a comment indicating it was auto-closed due to a low priority score. It also tags the incident with "LowPrioScore" for traceability.
This process helps reduce noise and alert fatigue in a Security Operations Center (SOC) by automatically closing low-priority incidents, allowing analysts to focus on more critical issues.
Details

Benjamin Zulliger
Released: April 30, 2026
Tables
Keywords
Operators