Auto Close Low Priority Score Incidents

<img width="1279" height="720" alt="image" src="https://github.com/user-attachments/assets/aa964c5c-ef2e-47c3-94a0-76e0d75da0d0" /> **Description** Azure Logic App to automatically close low-priority Microsoft Defender incidents based on the Priority Score. Incidents below a configurable threshold are resolved via Microsoft Graph API, reducing SOC noise and alert fatigue while preserving traceability through custom tags. Link to Full Article: https://www.linkedin.com/pulse/use-microsoft-defender-priority-score-reduce-noise-benjamin-zulliger-ja3re/ ```json { "definition": { "metadata": { "notes": {} }, "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "triggers": { "Recurrence": { "type": "Recurrence", "recurrence": { "frequency": "Minute", "interval": 5, "timeZone": "W. Europe Standard Time" } } }, "actions": { "HTTP": { "type": "Http", "inputs": { "uri": "https://graph.microsoft.com/v1.0/security/incidents", "method": "GET", "queries": { "$filter": "status eq 'Active'" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://graph.microsoft.com" } }, "runAfter": {}, "runtimeConfiguration": { "contentTransfer": { "transferMode": "Chunked" } } }, "For_each": { "type": "Foreach", "foreach": "@body('HTTP')['value']", "actions": { "Condition_PriorityScore_below_25": { "type": "If", "expression": { "and": [ { "not": { "equals": [ "@item()?['priorityScore']", null ] } }, { "less": [ "@item()?['priorityScore']", 25 ] } ] }, "actions": { "HTTP_PATCH_Close_Incident": { "type": "Http", "inputs": { "uri": "https://graph.microsoft.com/v1.0/security/incidents/@{item()?['id']}", "method": "PATCH", "headers": { "Content-Type": "application/json" }, "body": { "status": "resolved", "resolvingComment": "Auto-closed: priorityScore below threshold (25)", "customTags": "@union(item()?['customTags'], createArray('LowPrioScore'))" }, "authentication": { "type": "ManagedServiceIdentity", "audience": "https://graph.microsoft.com" } } } }, "else": { "actions": {} } } }, "runAfter": { "HTTP": [ "Succeeded" ] } } }, "outputs": {}, "parameters": { "$connections": { "type": "Object", "defaultValue": {} } } }, "parameters": { "$connections": { "type": "Object", "value": {} } } }

Explanation

This Azure Logic App is designed to automatically manage Microsoft Defender incidents by closing those with a low priority score. Here's a simple breakdown of how it works:

Trigger: The Logic App runs every 5 minutes, checking for active incidents in the Microsoft Defender system.
Fetch Incidents: It uses the Microsoft Graph API to retrieve a list of all active security incidents.
Evaluate Priority: For each incident, it checks the "priorityScore". If the score is below 25, it considers the incident low-priority.
Close Low-Priority Incidents: If an incident's priority score is below 25, the Logic App automatically updates its status to "resolved" using a PATCH request via the Microsoft Graph API. It adds a comment indicating the reason for closure and tags the incident with "LowPrioScore" for traceability.
Authentication: The app uses Managed Service Identity for secure API access.

This process helps reduce the noise and alert fatigue in Security Operations Centers (SOC) by automatically resolving low-priority incidents, allowing analysts to focus on more critical issues.

Details

Benjamin Zulliger

Released: April 23, 2026

Tables

The image you provided is not visibleso I cannot extract any information from it. Howeverbased on the JSON and description providedthe query seems to interact with Microsoft Graph API rather than a specific table in a database. Thereforethere are no traditional database tables involved in this query.

Keywords

AzureLogicAppMicrosoftDefenderIncidentsMicrosoftGraphAPISOC

Operators

andnotequalslessunioncreateArray

KQL Search