Defender XDR Incidents
The Microsoft Defender XDR Incidents Input retrieves incidents formed based on the alerts generated by the services and applications that comes under Microsoft's unified Extended Detection and Response (XDR) platform.
Sync Type: Incremental
Overview
Services and apps within the Microsoft Defender XDR suite create alerts when they detect a suspicious or malicious event or activity. Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. This input connects to the Microsoft Graph Security API to fetch a list of incidents.
Supported Security Services
The input retrieves incidents formed based on the alerts generated from the following Microsoft Defender services:
- Microsoft Defender for Endpoint - Endpoint detection and response alerts from workstations, servers, and mobile devices
- Microsoft Defender for Cloud - Cloud security posture management and threat protection alerts from Azure, AWS, and GCP resources
- Microsoft Defender for Identity - Identity-based threats and suspicious activities targeting Active Directory environments
- Microsoft Defender for Office 365 - Email and collaboration threats including phishing, malware, and safe attachments/links
- Microsoft Defender for Cloud Apps - Cloud application security alerts and anomalous user behavior detection
Associated Alerts
Each incident record has an array of alerts associated with it.
Prerequisites
- Have a Microsoft Account with an active Azure Subscription.
- Register a new Application in App Registrations in Azure Entra ID portal.
- Make sure this new application has the following permissions -
- Microsoft Graph -
- SecurityIncident.Read.All
- SecurityIncident.ReadWrite.All
- Microsoft Graph -
Minimum role assignment: Reader role on the subscription or resource group scope.
Setting up a new application for API Access
- Registering a new application
- Open the App Registration page in the Azure Entra ID portal.
- Select New Registration.
- Add a name to the new registration.
- Click Register.
- Save the applications
Application (client) IDandDirectory (tenant) ID. - Select Certificates and Secrets.
- Click link next to Client credentials.
- In "Client secrets" click "New client secret".
- Add a name and expiration to the new secret.
- Save the client secret value.
- Give application access to Microsoft Graph API
- Click "API Permissions" on left sidebar.
- Click "Add Permission".
- Select "Microsoft Graph API".
- Select permissions SecurityIncident.Read.All, SecurityIncident.ReadWrite.All
- On the API permission page, click on "Grant admin consent for Default Directory".
- Grant access to your User
- Navigate to Subscriptions.
- Select the active Subscription.
- Click "Access control (IAM)" on the left menu.
- Select "Add Role Assignment" from the "+ Add" menu.
- Select the
Readerrole and click Next. - Click "Select members".
- Search for the new application name and click Select.
- Click "Review + assign".
- Confirm by clicking "Review + assign".
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Tenant ID | string | true | The tenant ID of the Azure AD application |
| Interval | number | true | The number of seconds between runs of this connector |
| Backfill Start Time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Setting | Type | Required | Description |
|---|---|---|---|
| Client ID | string | true | The client ID of the Azure AD application |
| Client Secret | string | true | The client secret of the Azure AD application |
Related Articles
Sample Record
{
"id": "d6cf53a1-e3db-3476-2396-32009dcde59c",
"tenantId": "1eab03e4-a6de-52a3-855d-d327a29fdbca",
"status": "active",
"incidentWebUrl": "https://security.microsoft.com/incident/3fe7e2fe-a7bf-48c1-dd25-df9a2310858f/overview?tid=d29ff5e6-7bef-4934-4406-9146a678be44",
"redirectIncidentId": null,
"displayName": "Malware detected on endpoint",
"createdDateTime": "2025-08-11T23:46:41Z",
"lastUpdateDateTime": "2025-08-11T23:46:41Z",
"assignedTo": "",
"classification": "truePositive",
"determination": "malware",
"severity": "high",
"customTags": [
"endpoint-threat",
"malware"
],
"systemTags": [
"Defender"
],
"description": "Suspicious executable detected and quarantined on corporate endpoint",
"lastModifiedBy": "Tom Jones",
"resolvingComment": null,
"summary": "Trojan detected via behavioral analysis",
"comments": [
{
"comment": "Investigating potential lateral movement",
"createdBy": "Tom Smith",
"createdTime": "2025-08-11T23:46:41Z"
}
],
"alerts": [
{
"id": "8a852d88-d189-efa0-5735-d85daed9632a",
"providerAlertId": "c356ba19-ef66-78c5-ed45-435a344164b6",
"incidentId": "a17d3305-f676-80c8-0412-d3764fd043f0",
"status": "new",
"severity": "high",
"classification": "truePositive",
"determination": "malware",
"serviceSource": "MicrosoftDefenderATP",
"detectionSource": "EDR",
"productName": "Microsoft Defender for Endpoint",
"detectorId": "d3fa8b94-2764-74f6-2ef7-9285975e5489",
"tenantId": "089580ea-1be7-3514-bdea-2a264c241b1f",
"title": "Malware detected",
"description": "Behavioral analysis detected malicious activity",
"recommendedActions": "Isolate machine and run full scan",
"category": "Malware",
"assignedTo": "",
"alertWebUrl": "https://security.microsoft.com/alerts/96d1d9ca-94e3-6a4c-1f58-7758d268f4fc?tid=7f9d8ed3-3425-c6c6-ddfb-3ea344cd43b8",
"incidentWebUrl": "https://security.microsoft.com/incident/d1be7520-8dbe-594a-538b-f28fcfa180d9/overview?tid=935e1aee-289d-bcac-578e-6916693baed9",
"actorDisplayName": null,
"threatDisplayName": "Trojan:Win32/Wacatac.B!ml",
"threatFamilyName": "Trojan",
"mitreTechniques": [
"T1055",
"T1106"
],
"createdDateTime": "2025-08-11T23:46:41Z",
"lastUpdateDateTime": "2025-08-11T23:46:41Z",
"resolvedDateTime": null,
"firstActivityDateTime": "2025-08-11T23:46:41Z",
"lastActivityDateTime": "2025-08-11T23:46:41Z",
"systemTags": [
"Defender"
],
"alertPolicyId": null,
"comments": [],
"customDetails": {
"ProcessName": "suspicious.exe",
"ProcessId": "3985",
"CommandLine": "C:\\temp\\suspicious.exe -stealth"
},
"evidence": [
{
"@odata.type": "#microsoft.graph.security.deviceEvidence",
"createdDateTime": "2025-08-11T23:46:41Z",
"verdict": "malicious",
"remediationStatus": "prevented",
"remediationStatusDetails": "File quarantined",
"roles": [
"compromised"
],
"detailedRoles": [
"primaryTarget"
],
"tags": [
"isolated"
],
"deviceDnsName": "DESKTOP-Alice Brown",
"osPlatform": "Windows10",
"osVersion": "10.0.19044",
"riskScore": "high"
},
{
"@odata.type": "#microsoft.graph.security.fileEvidence",
"createdDateTime": "2025-08-11T23:46:41Z",
"verdict": "malicious",
"remediationStatus": "prevented",
"remediationStatusDetails": "File quarantined",
"roles": [
"malware"
],
"detailedRoles": [
"trojan"
],
"tags": [
"quarantined"
],
"fileName": "suspicious.exe",
"filePath": "C:\\temp\\suspicious.exe",
"fileSize": 465419,
"filePublisher": null,
"sha1": "",
"sha256": "",
"md5": ""
}
],
"additionalData": {
"OriginalAlertProductName": "Microsoft Defender for Endpoint",
"OriginalAlertProviderName": "WindowsDefenderAtp",
"AlertUri": "https://security.microsoft.com/alerts/4d1e95e4-9473-ec70-b36d-7d1d751f61e9",
"TimeGenerated": "2025-08-11T23:46:41Z",
"ProcessingEndTime": "2025-08-11T23:46:41Z",
"Intent@odata.type": "#Int64",
"Intent": 1048576,
"ThreatName": "Trojan:Win32/Wacatac.B!ml",
"DetectionMethod": "Behavioral",
"MachineName": "DESKTOP-Alice Brown",
"ThreatCategory": "Trojan",
"RemediationAction": "Quarantine"
}
}
]
}