Skip to main content

Microsoft Defender Data Connector

Learn how to automatically ingest Microsoft Defender alerts and incidents into Torq to enable Auto-Triage and trigger response workflows.

Overview

The Microsoft Defender data connector provides a native, polling-based ingestion mechanism that continuously brings alerts and incidents into Torq for use in workflows and Auto-Triage.

Key benefits include:

  • Simplified setup: Configure ingestion through a guided UI without building custom integrations, handling OAuth flows, or managing API logic.

  • Continuous event ingestion: Alerts and incidents are retrieved automatically at regular intervals, ensuring a steady data flow.

  • Flexible routing: Route ingested events to workflows, Auto-Triage, or both.

  • Historical backfill: Configure a lookback window (up to 14 days) during setup to ingest past events.

  • Duplicate detection: Prevent duplicate ingestion and maintain data integrity.

  • Built-in reliability: Handle pagination, retries, and rate limits automatically.

Alerts vs. incidents integrations

Torq provides separate integrations for Microsoft Defender alerts and incidents to give you more flexibility and control. Alerts represent individual detections or signals generated by Defender, while incidents are higher-level groupings that correlate multiple alerts into a single investigation.

By offering dedicated integrations for each, Torq allows you to:

  • Trigger automations at the appropriate level (alert-level for granular responses, incident-level for broader investigations).

  • Reduce noise by working with aggregated incident data when needed.

Make sure to choose the integration that best fits your use case when setting up your Defender connector.

Common scenarios

Automated triage and case creation from Defender alerts

The Microsoft Defender data connector enables security teams to automatically route EDR alerts into Torq’s Auto-Triage, where events are enriched, analyzed, and converted into investigation cases with full context.

Case-driven response from XDR incidents

Microsoft Defender XDR correlates signals across multiple security domains into incidents. These incidents are ingested into Torq, where workflows can automate investigation, enrichment, and response across identity, endpoint, email, and cloud environments.

Custom detection rule automation

Custom detections created using Microsoft Defender Advanced Hunting (KQL) are ingested automatically, triggering workflows for enrichment, correlation, and remediation.

Prerequisites

Before setting up the Microsoft Defender data connector, ensure the following permissions are configured in your Microsoft Entra application:

  • Alert ingestion: Grant the SecurityAlert.Read.All permission.

  • Incident ingestion: Grant the SecurityIncident.Read.All permission.

For details, see the Create a Microsoft Entra application section below.

By default, Microsoft Defender XDR ingests only high-risk detections. To include medium- and low-risk alerts, update the alert service settings in the Defender portal. For instructions, see: https://learn.microsoft.com/en-us/defender-xdr/investigate-alerts?tabs=settings#configure-alert-service-settings

How to use

Create a Microsoft Entra application

Before setting up the Microsoft Defender data connector in Torq, you must create a Microsoft Entra application, grant the required permissions, and use the application credentials when configuring the connector in Torq.

Torq provides separate integrations for alerts and incidents. If you use a single Entra application for both integrations, grant both permissions. If you create separate Entra applications, assign only the permission required for each integration.

  1. Log in to Entra: Sign in to the Microsoft Entra portal.

  2. Open App Registrations: Navigate to App Registrations.

  3. Create new app: Click New Registration.

  4. Enter app details: Provide a name for the application and register it.

  5. Open API permissions: Navigate to App registrations > All applications, locate and open your app, then select API Permissions.

  6. Add permissions: Click Add a permission.

  7. Select Microsoft Graph: Choose Microsoft Graph.

  8. Choose permission type: Select Application permissions.

  9. Add required permissions:

    • Add SecurityAlert.Read.All (for alert ingestion)

    • Add SecurityIncident.Read.All (for incident ingestion)

  10. Grant admin consent: Click Grant admin consent to apply the permissions. Ensure admin consent is granted; otherwise, the connector will not be able to retrieve data.

  11. Add an application secret:

    1. Navigate to Certificates & secrets.

    2. Select Client secrets.

    3. Click New client secret.

    4. Enter a description and choose an expiration, then click Add.

    5. Copy the Value field and use it when configuring the connector in Torq.

Set up a data connector instance

  1. Open connector setup: Go to Integrations > Microsoft Defender Alerts or Microsoft Defender Incidents > Add Instance.

  2. Configure connection details:

    • Name: Enter a descriptive name.

    • Tenant ID: Enter your Microsoft Entra tenant ID.

    • Client ID: Enter the application (client) ID.

    • Client Secret: Enter the generated client secret.

  3. Select routing destination: Choose where events will be sent:

    • Workflows

    • Auto-Triage

  4. (Optional) Configure backfill: Set a lookback window (up to 14 days) to ingest historical events.

  5. (Optional, Alerts-only) Service source: Select specific alert types to narrow down ingested events.

  6. Save configuration: Click Add to create the connector. Ingestion starts automatically.

When you edit an existing Defender instance, the past data ingestion period cannot be changed. To change it, delete the instance and create a new one.

You’ve successfully set up the Microsoft Defender data connector in Torq. With the instance configured, Torq will continuously ingest alerts or incidents from your Defender environment and automatically trigger workflows and Auto-Triage based on those events.

  • Each tenant requires its own connector instance with its own credentials. Per-tenant rate limits apply independently.

  • The XDR Incidents API is rate-limited to 50 calls/min and 1,500 calls/hour. The connector handles rate limit errors automatically with built-in retry logic, but very high-volume environments may experience ingestion delays.

Troubleshooting

Resolve common setup issues

If you receive a Failed to create integration error while configuring the Microsoft Defender Data Connector, the issue is usually related to the Microsoft Entra application, permissions, or connector credentials. Use the checks below to identify and resolve the most common causes.

Check application credentials

Incorrect or incomplete application details are a common cause of integration failures.

  1. Verify Tenant ID: Confirm that the Microsoft Entra Tenant ID is correct.

  2. Verify Client ID: Confirm that the Application (client) ID matches the Entra app used for the connector.

  3. Verify Client Secret: Confirm that the client secret value was copied correctly and has not expired. Use the Value field, not the secret ID.

  4. Check secret validity: If needed, generate a new client secret and update the connector configuration.

Check API permissions

The Entra application must have the required Microsoft Graph application permissions.

  1. Open API permissions: In Microsoft Entra, open the application and go to API Permissions.

  2. Verify required permissions: Confirm that the correct permission is configured for the selected connector type:

    • Alerts: SecurityAlert.Read.All.

    • Incidents: SecurityIncident.Read.All.

  3. Match app to integration: If you use separate Entra applications for Alerts and Incidents, ensure each app has the correct permission for its intended integration. Since Torq validates permissions during setup, a mismatch between the app’s scope and the selected integration will prevent the integration from being created.

  4. Grant admin consent: Confirm that admin consent was granted. Without admin consent, the connector cannot authenticate successfully.

Check integration type and configuration

Misaligned connector settings can also prevent successful creation.

  1. Verify integration type: Confirm that you are creating the correct integration type (Microsoft Defender Alerts or Microsoft Defender Incidents).

  2. Match credentials to connector: Ensure the Entra application you are using has the permissions required for that specific connector.

Check customer environment settings

In some cases, the issue is caused by the Microsoft Defender or Microsoft Entra environment itself.

  • Licensing: Confirm that the tenant has access to the relevant Microsoft Defender APIs.

  • Conditional access / policy restrictions: Verify that there are no organizational policies blocking the application from authenticating.

  • Service principal restrictions: Confirm that the application is allowed to use application permissions in the tenant.

What to do if the issue persists

If the integration still fails after completing the checks above:

  • Recreate the client secret: Generate a new secret and retry the setup.

  • Recheck permissions: Remove and re-add the required Microsoft Graph permission, then grant admin consent again.

  • Validate with the correct app: Confirm that the Tenant ID, Client ID, and Client Secret all belong to the same Entra application.

  • Contact support: If the issue persists, gather the connector type, tenant details, and Entra app configuration information before escalating the issue.

Related Articles
Microsoft Defender for Endpoint
Microsoft 365 Defender
Microsoft 365
Workflow Template: Microsoft Defender for Endpoint Triage HyperAgent
SentinelOne Data Connector
Did this answer your question?