# Microsoft 365 Defender Integration

**Step 1: Create Webhook for Microsoft 365 Defender**

* Visit the **Webhooks** page in AIR,
* Click the "**+ New Webhook**" button on the upper right corner,
* Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
* Select " **Microsoft 365 Defender** **Webhook Parser**" as the parser for this webhook,
* Select an **Acquisition Profile** when Microsoft 365 activates this webhook,
* Select the **Ignore** option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
* Provide other settings such as **Evidence Repository**, **CPU Limit**, **Compression & Encryption** to use or let AIR configure them automatically based on the matching policy
* Click the "**Save**" button.
* Copy the Webhook URL for Step 2.

**Step 2: Setting up Power Automate**

* Log in to [Power Automate](https://make.powerautomate.com/).
* Go to My Flows on the left-hand pane.
* Click New Flow and Automated Cloud Flow
* Give an explanatory **Flow Name,** select Microsoft Defender ATP as the flow’s trigger and create it.
* Set up your alert conditions according to [Microsoft Documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-microsoft-flow?view=o365-worldwide).
* Go to Actions and find HTTP Webhook.
* Use the copied Webhook URL created in the first step as an HTTP Post URL,
* Add `Content-Type: application/json` header,
* Click Add dynamic content, and use the dynamic content from your trigger in your response’s post body “MachineName”.

  `{"result":{"host": "MachineName"}}`