Creating IDR Incidents from the Microsoft Defender Incidents plugin

Hello, has anyone successfully used the Microsoft Defender Incidents plugin to create IDR investigations when new incidents are created?

I’m struggling to get any output from the plugin. We are getting Defender ATP alerts through to IDR using the Defender ATP data source but this is not creating incidents for the Defender for Cloud alerts we are seeing within our Defender portal.

If anyone has any documentation or hints for successfully using this plugin it would be greatly appreciated.


Maybe you can create a custom rule for this and create an investigation. I’m not sure however if custom rules apply to IDR’s UEBA…