The Microsoft Graph API for security incidents does not offer a dedicated endpoint to track field-level history or audit logs for transitions. Specifically, there is no queryable change log for incident severity, only the current value and a last update timestamp. Furthermore, Graph change notifications, or webhooks, are not documented as supported for security incidents. Support for webhooks is only available for the legacy alerts resource, which is slated for deprecation. Consequently, polling is currently the only supported method for monitoring changes to security incidents. To effectively track severity changes, implement a polling strategy that filters for incidents updated since the last poll. This involves using the $filter=lastUpdateDateTime gt {last_poll_timestamp} parameter in your API requests. When new incident data is retrieved, compare the incoming severity with the previously stored severity for that incident in your own system. This client-side comparison allows you to detect severity transitions. Store key information like incident ID, severity, and last update time from each poll to facilitate these comparisons. Be aware that this method provides the approximate time of change, meaning it indicates a change occurred between poll intervals rather than the precise second of transition. The frequency of your polling will determine the granularity of this timing information.