Default API client used by OffBroadway.Defender365.Producer to receive incidents from Microsoft 365 Defender Incident APIs. An incident is a collection of related alerts that help describe an attack. Events from different entities in an organization are automatically aggregated by Microsoft Defender 365.

This module implements the OffBroadway.Defender365.Client and Broadway.Acknowledger behaviours which defines callbacks for receiving and acknowledging events.

The 365 Defender Incident client uses the api.security.microsoft.com endpoints for receiving incidents and is implemented using the Tesla library. Tesla is a HTTP client abstraction library which lets us easily select from a range of HTTP adapters. Please see the Tesla documentation for more information.

The following quotas are enforced for the incidents API:

• Maximum page size is 100 incidents
• Maximum rate of requests is 50 calls per minute and 1500 calls per hour

The following permissions are required to call the incidents API:

• Permission type: Application - Incident.Read.All
• Permission type: Application - Incident.ReadWrite.All
• Permission type: Delegated - Incident.Read
• Permission type: Delegated - Incident.ReadWrite