Defender XDR Alerts
The Microsoft Defender XDR Alerts Input retrieves comprehensive security alerts from Microsoft's unified Extended Detection and Response (XDR) platform.
Sync Type: Incremental
Overview
This input connects to the Microsoft Graph Security API to fetch alerts generated by multiple integrated security services within the Microsoft Defender XDR suite.
Supported Security Services
The input retrieves alerts from the following Microsoft Defender services:
- Microsoft Defender for Endpoint - Endpoint detection and response alerts from workstations, servers, and mobile devices
- Microsoft Defender for Cloud - Cloud security posture management and threat protection alerts from Azure, AWS, and GCP resources
- Microsoft Defender for Identity - Identity-based threats and suspicious activities targeting Active Directory environments
- Microsoft Defender for Office 365 - Email and collaboration threats including phishing, malware, and safe attachments/links
- Microsoft Defender for Cloud Apps - Cloud application security alerts and anomalous user behavior detection
Prerequisites
- Have a Microsoft Account with an active Azure Subscription.
- Register a new Application in App Registrations in Azure Entra ID portal.
- Make sure this new application has the following permissions -
- Microsoft Graph -
- SecurityAlert.Read.All
- SecurityAlert.ReadWrite.All
- SecurityIncident.Read.All
- SecurityIncident.ReadWrite.All
- Microsoft Graph -
Minimum role assignment: Reader role on the subscription or resource group scope.
Setting up a new application for API Access
- Registering a new application
- Open the App Registration page in the Azure Entra ID portal.
- Select New Registration.
- Add a name to the new registration.
- Click Register.
- Save the applications
Application (client) IDandDirectory (tenant) ID. - Select Certificates and Secrets.
- Click link next to Client credentials.
- In "Client secrets" click "New client secret".
- Add a name and expiration to the new secret.
- Save the client secret value.
- Give application access to Microsoft Graph API
- Click "API Permissions" on left sidebar.
- Click "Add Permission".
- Select "Microsoft Graph API".
- Select permissions SecurityAlert.Read.All, SecurityAlert.ReadWrite.All, SecurityIncident.Read.All, SecurityIncident.ReadWrite.All
- On the API permission page, click on "Grant admin consent for Default Directory".
- Grant access to your User
- Navigate to Subscriptions.
- Select the active Subscription.
- Click "Access control (IAM)" on the left menu.
- Select "Add Role Assignment" from the "+ Add" menu.
- Select the
Readerrole and click Next. - Click "Select members".
- Search for the new application name and click Select.
- Click "Review + assign".
- Confirm by clicking "Review + assign".
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Tenant ID | string | true | The tenant ID of the Azure AD application |
| Interval | number | true | The number of seconds between runs of this connector |
| Backfill Start Time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Setting | Type | Required | Description |
|---|---|---|---|
| Client ID | string | true | The client ID of the Azure AD application |
| Client Secret | string | true | The client secret of the Azure AD application |
Related Articles
Sample Record
{
"id": "ff64d55e-2da9-4053-7a11-40fc2863aee2",
"providerAlertId": "224cd8a2-470a-bccb-6bbb-607b247d4c28",
"incidentId": "1",
"status": "new",
"severity": "medium",
"classification": null,
"determination": null,
"serviceSource": "Tom Williams",
"detectionSource": "John Johnson",
"productName": "Tom Brown",
"detectorId": "c6b5078c-1e3e-e867-5d32-6672145afced",
"tenantId": "36ec37a2-a108-3fcc-e1e5-33e9b9aff7d2",
"title": "John Brown",
"description": "John Smith",
"recommendedActions": "actions",
"category": "John Miller",
"assignedTo": null,
"alertWebUrl": "https://security.microsoft.com/alerts/d43edd62-48a2-21b7-c597-5be3bfdc6901?tid=fb2687d5-c0a5-6b01-e097-44b3b82881d0",
"incidentWebUrl": "https://security.microsoft.com/incident2/0/overview?tid=a21fc2b9-c6d1-b8dc-2e9a-fb335acbb74f",
"actorDisplayName": null,
"threatDisplayName": null,
"threatFamilyName": null,
"mitreTechniques": [
"T1059.001"
],
"createdDateTime": "2025-08-11T23:46:41Z",
"lastUpdateDateTime": "2025-08-11T23:46:41Z",
"resolvedDateTime": null,
"firstActivityDateTime": "2025-08-11T23:46:41Z",
"lastActivityDateTime": "2025-08-11T23:46:41Z",
"systemTags": [],
"alertPolicyId": null,
"comments": [],
"customDetails": {},
"evidence": [
{
"@odata.type": "Jane Williams",
"createdDateTime": "2025-08-11T23:46:41Z",
"verdict": "suspicious",
"remediationStatus": "active",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [
"PrimaryDevice"
],
"tags": [],
"firstSeenDateTime": "2025-08-11T23:46:41Z",
"mdeDeviceId": "6acf0a18-18b0-2e80-b3d2-faf3ed4627f0",
"azureAdDeviceId": null,
"deviceDnsName": "Tom Jones",
"hostName": "Tom Brown",
"ntDomain": null,
"dnsDomain": null,
"osPlatform": "WindowsServer2022",
"osBuild": "00000",
"version": "1.0",
"healthStatus": "active",
"riskScore": "medium",
"rbacGroupId": 0,
"rbacGroupName": null,
"onboardingStatus": "onboarded",
"defenderAvStatus": "unknown",
"lastIpAddress": "0.0.0.0",
"lastExternalIpAddress": "0.0.0.0",
"ipInterfaces": [
"0.0.0.0",
"0.0.0.0",
"0.0.0.0",
"::1"
],
"vmMetadata": null,
"loggedOnUsers": []
},
{
"@odata.type": "Peter Miller",
"createdDateTime": "2025-08-11T23:46:41Z",
"verdict": "suspicious",
"remediationStatus": "active",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"stream": null,
"userAccount": {
"accountName": "Jane Smith",
"domainName": "Sarah Johnson",
"userSid": "e2e027ee-7b0b-1c93-62bc-c8568a643ae9",
"azureAdUserId": null,
"userPrincipalName": null,
"displayName": null
}
},
{
"@odata.type": "Tom Johnson",
"createdDateTime": "2025-08-11T23:46:41Z",
"verdict": "suspicious",
"remediationStatus": "active",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"url": "http://127.0.0.1"
},
{
"@odata.type": "Alice Jones",
"createdDateTime": "2025-08-11T23:46:41Z",
"verdict": "suspicious",
"remediationStatus": "active",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"ipAddress": "127.0.0.1",
"countryLetterCode": null,
"stream": null,
"location": null
},
{
"@odata.type": "Alice Jones",
"createdDateTime": "2025-08-11T23:46:41Z",
"verdict": "suspicious",
"remediationStatus": "active",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"processId": 0,
"parentProcessId": 0,
"processCommandLine": "powershell.exe",
"processCreationDateTime": "2025-08-11T23:46:41Z",
"parentProcessCreationDateTime": "2025-08-11T23:46:41Z",
"detectionStatus": "detected",
"mdeDeviceId": "ef7957d9-d20b-870c-9866-dc7d65eb9c56",
"imageFile": {
"sha1": "571dec95-2d94-96da-8f51-3937f7021204",
"sha256": "2b529e8a-85c6-52ca-a01d-8681f8b33e68",
"md5": null,
"sha256Ac": null,
"fileName": "powershell.exe",
"filePath": "C:\\Windows\\",
"fileSize": 450,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
},
"parentProcessImageFile": {
"sha1": null,
"sha256": null,
"md5": null,
"sha256Ac": null,
"fileName": "cmd.exe",
"filePath": "C:\\Windows\\",
"fileSize": 33,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
},
"userAccount": {
"accountName": "Jane Brown",
"domainName": "Sarah Smith",
"userSid": "4d0ccf4d-5491-fc2a-43dd-4f7dac72bec3",
"azureAdUserId": null,
"userPrincipalName": null,
"displayName": null
}
}
],
"additionalData": {}
}