Updated Values for Defender Incidents Plugin

This plugin really needs to be updated with current values. The Defender Incident API had multiple determination values available but the plugin is still only listing off the Endpoint-related determinations. I’ve been waiting for years to see these added and nothing yet.

We’re missing the most common of the trade, “Phishing”.

I also cannot figure out why the comments always add extra spacing via the plugin, but can’t be sure if it’s actually plugin-related.

Thank you for the feedback. I just want to make sure we are on the same page.

This is the endpoint the plugin is targeting:

https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents

This is the determination schema provided by Microsoft at the URL provided above:

determination Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other NotAvailable

Are you saying in the UI Phishing is a determination, or if you were to list an incident via the API explorer it would show other options for Determination?

The link you just sent over is the reference for the List Updates API function. If you look at the “Update Incidents” function, it includes additional determinations.

Update incident API - Microsoft Defender XDR | Microsoft Learn

Description
Specifies the determination of the incident.

Possible determination values for each classification are:

  • True positive: MultiStagedAttack (Multi staged attack), MaliciousUserActivity (Malicious user activity), CompromisedAccount (Compromised account) – consider changing the enum name in public api accordingly, Malware (Malware), Phishing (Phishing), UnwantedSoftware (Unwanted software), and Other (Other).
  • Informational, expected activity: SecurityTesting (Security test), LineOfBusinessApplication (Line-of-business application), ConfirmedActivity (Confirmed activity) - consider changing the enum name in public api accordingly, and Other (Other).
  • False positive: Clean (Not malicious) - consider changing the enum name in public api accordingly, NoEnoughDataToValidate (Not enough data to validate), and Other (Other).

Thank you for explaining that.

Let me put in a request for enhancement. I will update this thread when I know more.

Good morning!

I shared your feedback and frustrations around the plugin with our internal teams, and I wanted to let you know that one of our engineers, Ryan Murray, really stepped up and took ownership of the issue.

The Microsoft Defender Incidents plugin has now been updated to version 2.0.1. When you get a chance, please try the Update Incidents action again and let me know how it goes.

I genuinely appreciate you not only raising the issue but also providing the extra context—it made a big difference in helping us get this in front of the right people and moving toward a solution.