Query Details

Auto Close Low Priority Score Incidents

Query

{
    "definition": {
        "metadata": {
            "notes": {}
        },
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "contentVersion": "1.0.0.0",
        "triggers": {
            "Recurrence": {
                "type": "Recurrence",
                "recurrence": {
                    "frequency": "Minute",
                    "interval": 5,
                    "timeZone": "W. Europe Standard Time"
                }
            }
        },
        "actions": {
            "HTTP": {
                "type": "Http",
                "inputs": {
                    "uri": "https://graph.microsoft.com/v1.0/security/incidents",
                    "method": "GET",
                    "queries": {
                        "$filter": "status eq 'Active'"
                    },
                    "authentication": {
                        "type": "ManagedServiceIdentity",
                        "audience": "https://graph.microsoft.com"
                    }
                },
                "runAfter": {},
                "runtimeConfiguration": {
                    "contentTransfer": {
                        "transferMode": "Chunked"
                    }
                }
            },
            "Initialize_Variable_ExcludedTitleKeywords": {
                "type": "InitializeVariable",
                "inputs": {
                    "variables": [
                        {
                            "name": "excludedTitleKeywords",
                            "type": "Array",
                            "value": [
                                "Anomalous Token usage",
                                "demo",
                                "false positive"
                            ]
                        }
                    ]
                },
                "runAfter": {
                    "HTTP": [
                        "Succeeded"
                    ]
                }
            },
            "For_each": {
                "type": "Foreach",
                "foreach": "@body('HTTP')['value']",
                "actions": {
                    "Filter_Excluded_Titles": {
                        "type": "Query",
                        "inputs": {
                            "from": "@variables('excludedTitleKeywords')",
                            "where": "@contains(toLower(items('For_each')?['displayName']), toLower(item()))"
                        }
                    },
                    "Condition_Title_Not_Excluded": {
                        "type": "If",
                        "expression": {
                            "equals": [
                                "@length(body('Filter_Excluded_Titles'))",
                                0
                            ]
                        },
                        "actions": {
                            "Condition_PriorityScore_below_25": {
                                "type": "If",
                                "expression": {
                                    "and": [
                                        {
                                            "not": {
                                                "equals": [
                                                    "@item()?['priorityScore']",
                                                    null
                                                ]
                                            }
                                        },
                                        {
                                            "less": [
                                                "@item()?['priorityScore']",
                                                25
                                            ]
                                        }
                                    ]
                                },
                                "actions": {
                                    "HTTP_PATCH_Close_Incident": {
                                        "type": "Http",
                                        "inputs": {
                                            "uri": "https://graph.microsoft.com/v1.0/security/incidents/@{item()?['id']}",
                                            "method": "PATCH",
                                            "headers": {
                                                "Content-Type": "application/json"
                                            },
                                            "body": {
                                                "status": "resolved",
                                                "resolvingComment": "Auto-closed: priorityScore below threshold (25)",
                                                "customTags": "@union(item()?['customTags'], createArray('LowPrioScore'))"
                                            },
                                            "authentication": {
                                                "type": "ManagedServiceIdentity",
                                                "audience": "https://graph.microsoft.com"
                                            }
                                        }
                                    }
                                },
                                "else": {
                                    "actions": {}
                                }
                            }
                        },
                        "else": {
                            "actions": {}
                        },
                        "runAfter": {
                            "Filter_Excluded_Titles": [
                                "Succeeded"
                            ]
                        }
                    }
                },
                "runAfter": {
                    "Initialize_Variable_ExcludedTitleKeywords": [
                        "Succeeded"
                    ]
                }
            }
        },
        "outputs": {},
        "parameters": {
            "$connections": {
                "type": "Object",
                "defaultValue": {}
            }
        }
    },
    "parameters": {
        "$connections": {
            "type": "Object",
            "value": {}
        }
    }
}

About this query

<img width="1279" height="720" alt="image" src="https://github.com/user-attachments/assets/aa964c5c-ef2e-47c3-94a0-76e0d75da0d0" />

Description

Azure Logic App to automatically close low-priority Microsoft Defender incidents based on the Priority Score. Incidents below a configurable threshold are resolved via Microsoft Graph API, reducing SOC noise and alert fatigue while preserving traceability through custom tags.

Link to Full Article: https://www.linkedin.com/pulse/use-microsoft-defender-priority-score-reduce-noise-benjamin-zulliger-ja3re/

Explanation

This query is part of an Azure Logic App workflow designed to automatically manage Microsoft Defender incidents. Here's a simplified explanation of what it does:

  1. Trigger: The workflow is set to run every 5 minutes.

  2. Fetch Incidents: It retrieves all active security incidents from Microsoft Defender using the Microsoft Graph API.

  3. Exclude Certain Incidents: It initializes a list of keywords (e.g., "Anomalous Token usage", "demo", "false positive") to exclude certain incidents based on their titles.

  4. Filter Incidents: For each incident, it checks if the title contains any of the excluded keywords. If it does, the incident is ignored.

  5. Check Priority Score: For incidents not excluded by title, it checks if the priority score is below 25.

  6. Close Low-Priority Incidents: If an incident's priority score is below 25, it automatically closes the incident by updating its status to "resolved" and adds a comment indicating it was auto-closed due to a low priority score. It also tags the incident with "LowPrioScore" for traceability.

This process helps reduce noise and alert fatigue in a Security Operations Center (SOC) by automatically closing low-priority incidents, allowing analysts to focus on more critical issues.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: April 30, 2026

Tables

The image is not visibleand the provided JSON does not contain any KQL query to identify the table names. Please provide the KQL query directly for analysis.

Keywords

AzureLogicAppMicrosoftDefenderIncidentsGraphAPISOC

Operators

`eq``and``not``less``equals``length``contains``toLower``union``createArray``@``?``['']``()``{}``[]``:`

Actions

GitHub