Skip to content
XDR Forensics Knowledge Base

Microsoft 365 Defender Integration

Step 1: Create Webhook for Microsoft 365 Defender

  • Visit the Webhooks page in XDR Forensics,
  • Click the ”+ New Webhook” button on the upper right corner,
  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
  • Select ” Microsoft 365 Defender Webhook Parser” as the parser for this webhook,
  • Select an Acquisition Profile when Microsoft 365 activates this webhook,
  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let XDR Forensics configure them automatically based on the matching policy
  • Click the “Save” button.
  • Copy the Webhook URL for Step 2.

Step 2: Setting up Power Automate

  • Log in to Power Automate.

  • Go to My Flows on the left-hand pane.

  • Click New Flow and Automated Cloud Flow

  • Give an explanatory Flow Name, select Microsoft Defender ATP as the flow’s trigger and create it.

  • Set up your alert conditions according to Microsoft Documentation.

  • Go to Actions and find HTTP Webhook.

  • Use the copied Webhook URL created in the first step as an HTTP Post URL,

  • Add Content-Type: application/json header,

  • Click Add dynamic content, and use the dynamic content from your trigger in your response’s post body “MachineName”.

    {"result":{"host": "MachineName"}}