Copy page

Microsoft

Defender XDR Incidents

The Microsoft Defender XDR Incidents Input retrieves incidents formed based on the alerts generated by the services and applications that comes under Microsoft's unified Extended Detection and Response (XDR) platform.

Sync Type: Incremental

Overview

Services and apps within the Microsoft Defender XDR suite create alerts when they detect a suspicious or malicious event or activity. Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. This input connects to the Microsoft Graph Security API to fetch a list of incidents.

Supported Security Services

The input retrieves incidents formed based on the alerts generated from the following Microsoft Defender services:

• Microsoft Defender for Endpoint - Endpoint detection and response alerts from workstations, servers, and mobile devices
• Microsoft Defender for Cloud - Cloud security posture management and threat protection alerts from Azure, AWS, and GCP resources
• Microsoft Defender for Identity - Identity-based threats and suspicious activities targeting Active Directory environments
• Microsoft Defender for Office 365 - Email and collaboration threats including phishing, malware, and safe attachments/links
• Microsoft Defender for Cloud Apps - Cloud application security alerts and anomalous user behavior detection

Associated Alerts

Each incident record has an array of alerts associated with it.

Prerequisites

1. Have a Microsoft Account with an active Azure Subscription.
2. Register a new Application in App Registrations in Azure Entra ID portal.
3. Make sure this new application has the following permissions -
   • Microsoft Graph -
     • SecurityIncident.Read.All
     • SecurityIncident.ReadWrite.All

Minimum role assignment: Reader role on the subscription or resource group scope.

Setting up a new application for API Access

1. Registering a new application
   1. Open the App Registration page in the Azure Entra ID portal.
   2. Select New Registration.
   3. Add a name to the new registration.
   4. Click Register.
   5. Save the applications Application (client) ID and Directory (tenant) ID.
   6. Select Certificates and Secrets.
   7. Click link next to Client credentials.
   8. In "Client secrets" click "New client secret".
   9. Add a name and expiration to the new secret.
   10. Save the client secret value.
2. Give application access to Microsoft Graph API
   1. Click "API Permissions" on left sidebar.
   2. Click "Add Permission".
   3. Select "Microsoft Graph API".
   4. Select permissions SecurityIncident.Read.All, SecurityIncident.ReadWrite.All
3. On the API permission page, click on "Grant admin consent for Default Directory".
4. Grant access to your User
   1. Navigate to Subscriptions.
   2. Select the active Subscription.
   3. Click "Access control (IAM)" on the left menu.
   4. Select "Add Role Assignment" from the "+ Add" menu.
   5. Select the Reader role and click Next.
   6. Click "Select members".
   7. Search for the new application name and click Select.
   8. Click "Review + assign".
   9. Confirm by clicking "Review + assign".

Configuration

Settings

Setting	Type	Required	Description
Tenant ID	string	true	The tenant ID of the Azure AD application
Interval	number	true	The number of seconds between runs of this connector
Backfill Start Time	string	No	The date to start fetching data from. If not specified, no past records will be fetched.

Secrets

Setting	Type	Required	Description
Client ID	string	true	The client ID of the Azure AD application
Client Secret	string	true	The client secret of the Azure AD application

Related Articles

• Microsoft Defender XDR - Overview
• Microsoft Graph - List Incidents

Sample Record

Code
{
  "id": "d6cf53a1-e3db-3476-2396-32009dcde59c",
  "tenantId": "1eab03e4-a6de-52a3-855d-d327a29fdbca",
  "status": "active",
  "incidentWebUrl": "https://security.microsoft.com/incident/3fe7e2fe-a7bf-48c1-dd25-df9a2310858f/overview?tid=d29ff5e6-7bef-4934-4406-9146a678be44",
  "redirectIncidentId": null,
  "displayName": "Malware detected on endpoint",
  "createdDateTime": "2025-08-11T23:46:41Z",
  "lastUpdateDateTime": "2025-08-11T23:46:41Z",
  "assignedTo": "",
  "classification": "truePositive",
  "determination": "malware",
  "severity": "high",
  "customTags": [
    "endpoint-threat",
    "malware"
  ],
  "systemTags": [
    "Defender"
  ],
  "description": "Suspicious executable detected and quarantined on corporate endpoint",
  "lastModifiedBy": "Tom Jones",
  "resolvingComment": null,
  "summary": "Trojan detected via behavioral analysis",
  "comments": [
    {
      "comment": "Investigating potential lateral movement",
      "createdBy": "Tom Smith",
      "createdTime": "2025-08-11T23:46:41Z"
    }
  ],
  "alerts": [
    {
      "id": "8a852d88-d189-efa0-5735-d85daed9632a",
      "providerAlertId": "c356ba19-ef66-78c5-ed45-435a344164b6",
      "incidentId": "a17d3305-f676-80c8-0412-d3764fd043f0",
      "status": "new",
      "severity": "high",
      "classification": "truePositive",
      "determination": "malware",
      "serviceSource": "MicrosoftDefenderATP",
      "detectionSource": "EDR",
      "productName": "Microsoft Defender for Endpoint",
      "detectorId": "d3fa8b94-2764-74f6-2ef7-9285975e5489",
      "tenantId": "089580ea-1be7-3514-bdea-2a264c241b1f",
      "title": "Malware detected",
      "description": "Behavioral analysis detected malicious activity",
      "recommendedActions": "Isolate machine and run full scan",
      "category": "Malware",
      "assignedTo": "",
      "alertWebUrl": "https://security.microsoft.com/alerts/96d1d9ca-94e3-6a4c-1f58-7758d268f4fc?tid=7f9d8ed3-3425-c6c6-ddfb-3ea344cd43b8",
      "incidentWebUrl": "https://security.microsoft.com/incident/d1be7520-8dbe-594a-538b-f28fcfa180d9/overview?tid=935e1aee-289d-bcac-578e-6916693baed9",
      "actorDisplayName": null,
      "threatDisplayName": "Trojan:Win32/Wacatac.B!ml",
      "threatFamilyName": "Trojan",
      "mitreTechniques": [
        "T1055",
        "T1106"
      ],
      "createdDateTime": "2025-08-11T23:46:41Z",
      "lastUpdateDateTime": "2025-08-11T23:46:41Z",
      "resolvedDateTime": null,
      "firstActivityDateTime": "2025-08-11T23:46:41Z",
      "lastActivityDateTime": "2025-08-11T23:46:41Z",
      "systemTags": [
        "Defender"
      ],
      "alertPolicyId": null,
      "comments": [],
      "customDetails": {
        "ProcessName": "suspicious.exe",
        "ProcessId": "3985",
        "CommandLine": "C:\\temp\\suspicious.exe -stealth"
      },
      "evidence": [
        {
          "@odata.type": "#microsoft.graph.security.deviceEvidence",
          "createdDateTime": "2025-08-11T23:46:41Z",
          "verdict": "malicious",
          "remediationStatus": "prevented",
          "remediationStatusDetails": "File quarantined",
          "roles": [
            "compromised"
          ],
          "detailedRoles": [
            "primaryTarget"
          ],
          "tags": [
            "isolated"
          ],
          "deviceDnsName": "DESKTOP-Alice Brown",
          "osPlatform": "Windows10",
          "osVersion": "10.0.19044",
          "riskScore": "high"
        },
        {
          "@odata.type": "#microsoft.graph.security.fileEvidence",
          "createdDateTime": "2025-08-11T23:46:41Z",
          "verdict": "malicious",
          "remediationStatus": "prevented",
          "remediationStatusDetails": "File quarantined",
          "roles": [
            "malware"
          ],
          "detailedRoles": [
            "trojan"
          ],
          "tags": [
            "quarantined"
          ],
          "fileName": "suspicious.exe",
          "filePath": "C:\\temp\\suspicious.exe",
          "fileSize": 465419,
          "filePublisher": null,
          "sha1": "",
          "sha256": "",
          "md5": ""
        }
      ],
      "additionalData": {
        "OriginalAlertProductName": "Microsoft Defender for Endpoint",
        "OriginalAlertProviderName": "WindowsDefenderAtp",
        "AlertUri": "https://security.microsoft.com/alerts/4d1e95e4-9473-ec70-b36d-7d1d751f61e9",
        "TimeGenerated": "2025-08-11T23:46:41Z",
        "ProcessingEndTime": "2025-08-11T23:46:41Z",
        "Intent@odata.type": "#Int64",
        "Intent": 1048576,
        "ThreatName": "Trojan:Win32/Wacatac.B!ml",
        "DetectionMethod": "Behavioral",
        "MachineName": "DESKTOP-Alice Brown",
        "ThreatCategory": "Trojan",
        "RemediationAction": "Quarantine"
      }
    }
  ]
}