Share via

How to send XDR Events to LAW onboarded to Unified Security Experience

Taylor Bianchi 20 Reputation points
2026-03-19T20:11:31.7966667+00:00

My Sentinel workspace is onboarded onto Unified Security in Defender Portal. We are trying to forward XDR events, specifically the DeviceEvents to the workspace so they can be used outside the portal or for retention purposes. However, when we try to send those events to the workspace, it fails or provides token issues. We also don't see the option to forward DeviceEvents tables in the Defender Portal.

When I try to do this through the API I get this error:

{"error":{"code":"BadRequest","message":"The workspace is enabled through the Microsoft Threat Protection Portal. Changes to the connector in Microsoft Sentinel are disabled. For more information https://aka.ms/primaryWorkspace"}}%

I understand the streaming events to Event Hub and then forwarding from event hub to workspace is an option but my understanding there is those events won't land in DeviceEvents* tables, they will be custom tables. I'd prefer to just use the connector with native support/integration. Is this not possible now?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Answer accepted by question author
  1. Rukmini 36,445 Reputation points Microsoft External Staff Moderator
    2026-03-19T21:19:29.5333333+00:00

    Hello Taylor Bianchi

    This behavior is by design.

    The workspace becomes a Defender-managed (primary) workspace since it is integrated with Microsoft Defender XDR (Unified Security Operations). In this mode:

    • Microsoft Sentinel does not allow the configuration of data connectors, including DeviceEvents.
    • API attempts to modify connectors return: “workspace is enabled through Microsoft Threat Protection Portal…”
    • Defender owns and ingests native tables, such as DeviceEvents, which are neither reconfigurable or forwardable.

    Hence, It is not possible to forward DeviceEvents to the workspace using the Sentinel connection or API and Only custom tables may be filled through Event Hub; native tables cannot be filled externally.

    As a workaround, Use Defender export options (e.g., API / Event Hub), noting data will land in custom tables only

    For extended retention or external querying, the supported approach is to export the data (e.g., Event Hub → Storage), rather than re-ingesting it into native tables.

    Flexibility is intentionally limited to maintain performance, cost control, and data integrity. For custom requirements, export to external systems/custom tables is the supported approach.

    If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. hossein jalilian 13,360 Reputation points Volunteer Moderator
    2026-03-19T20:23:02.68+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    Yes, DeviceEvents can be ingested into Microsoft Sentinel natively, but only through the Microsoft Defender XDR connector, not by manually editing the connector in Sentinel when using the unified security experience. If you see an error when editing, it’s because the connector is managed from the Defender portal, and Sentinel-side changes are blocked by design.

    If the option isn’t visible, it’s usually due to the workspace being centrally managed or already set as the primary workspace. Event Hub can be used as a workaround, but it won’t populate the native DeviceEvents table. The correct approach is configuring ingestion through the Defender portal, not Sentinel.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.