Reader permissions granted to the application for Alerts from WindowsDefenderATP (steps given below).
Reader permissions granted to the application from the Logs Analytics Workspace (steps given below).
Note: This input fetches logs from t-24h on the first sync. Subsequent syncs are incremental and fetch data from the last successful sync time to the current time.
Represents the type of threat or suspicious activity (e.g., malware, phishing) to filter alerts based on their nature.
Severity
string
false
Indicates the criticality level of an alert (e.g., low, high) to prioritize response actions.
API Rate Limit
object
No
Optional limit on the connector's outbound request rate to the source API. Leave blank to use the connector's default behavior. See API Rate Limiting for the field format, limits, and how to choose a value.
Secrets
Setting
Type
Required
Description
Client ID
string
true
The client ID of the Azure AD application
Client Secret
string
true
The client secret of the Azure AD application
To send a POST request to create this Alerts Connector:
{ "@odata.type": "#microsoft.graph.security.alert", "id": "571b693f-12ed-8411-fd8c-12ddb1fb2e85", "providerAlertId": "fae63ef5-965f-5d15-109a-88788c03babc", "incidentId": "88646", "status": "new", "severity": "high", "classification": "unknown", "determination": "unknown", "serviceSource": "microsoftDefenderForEndpoint", "detectionSource": "antivirus", "detectorId": "7ff6bf84-e53c-a047-aa01-289eb2619d96", "tenantId": "54102d3f-d755-00f7-9836-81202364c5f3", "title": "Suspicious execution of hidden file", "description": "fugiat ea voluptate adipiscing tempor eu deserunt enim sit in quis dolor fugiat mollit elit in ex dolor pariatur ad est ex sit cillum in sint aliqua nostrud culpa adipiscing dolore dolore anim id in minim mollit proident commodo nisi amet enim ut labore occaecat nulla nostrud deserunt ex labore", "recommendedActions": "in in magna reprehenderit reprehenderit dolor fugiat commodo aliqua proident eiusmod adipiscing proident officia officia minim nulla fugiat laborum qui officia laborum aliquip velit minim excepteur nulla magna voluptate dolor in ut in commodo nisi sint exercitation aliquip eu minim occaecat commodo dolor duis aute voluptate nisi labore aute et nostrud aliquip et duis nisi nulla eu reprehenderit quis eiusmod lorem ut culpa et qui fugiat aliqua irure minim commodo aliquip incididunt aliqua eiusmod dolore incididunt adipiscing ea ad exercitation commodo proident voluptate ut mollit eu incididunt dolore cupidatat ipsum in ea anim ullamco deserunt veniam anim qui do minim", "category": "DefenseEvasion", "assignedTo": null, "alertWebUrl": "https://security.microsoft.com/alerts/da2e4416-b566-bd88-e94e-157a040acd8c?tid=ee88ecd4-ae20-5921-cbec-618d9d0a8a19", "incidentWebUrl": "https://security.microsoft.com/incidents/43113?tid=3e9efad0-f65f-0355-c0fc-47ded11437f2", "actorDisplayName": null, "threatDisplayName": null, "threatFamilyName": null, "mitreTechniques": [ "T1564.001" ], "createdDateTime": "2025-08-11T23:46:42Z", "lastUpdateDateTime": "2025-08-11T23:46:42Z", "resolvedDateTime": null, "firstActivityDateTime": "2025-08-11T23:46:42Z", "lastActivityDateTime": "2025-08-11T23:46:42Z", "comments": [], "evidence": [ { "@odata.type": "#microsoft.graph.security.deviceEvidence", "createdDateTime": "2025-08-11T23:46:42Z", "verdict": "unknown", "remediationStatus": "none", "remediationStatusDetails": null, "firstSeenDateTime": "2025-08-11T23:46:42Z", "mdeDeviceId": "ce90113e-ae47-6949-ad4c-35057f489f51", "deviceDnsName": "device2.example.com", "hostName": "host1", "osPlatform": "Windows 8.1", "version": "Other", "healthStatus": "active", "riskScore": "medium", "roles": [ "compromised" ], "tags": [ "Test Machine" ] } ], "systemTags": [ "Defender Experts" ]}