Skip to main content

QuickAction - Scan Device on MS Defender for Endpoint - Workflow Template

Start a full malware scan on a remote device as a response of a quick action button.

Updated over 3 weeks ago

This workflow template empowers security analysts to quickly initiate a comprehensive malware scan on a remote device using Microsoft Defender for Endpoint, directly from an incident case. The process begins when an analyst executes a Quick Action button, instantly triggering the scan. The workflow then awaits confirmation that the scan was completed successfully before documenting the action's results in the case notes. Essential for accurate case management and expedited endpoint detection and response, this workflow facilitates prompt malware assessments, critical in maintaining an organization's cybersecurity posture.

Take Me to the Template

Use Cases

Case Management , Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Runs in response of a Quick Action execution.

  2. Starts a full malware scan on the remote device.

  3. Waits for the host to be contacted and confirm that the action has finished successfully.

  4. Add a note to the case with the result of the action.

Vendors

Utils, Microsoft Defender for Endpoint, Torq Cases

Related Articles
Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow Template
Run Antivirus Scan on a device on Microsoft Defender for Endpoint - Workflow Template
Isolate or Unisolate device on Microsoft Defender for Endpoint - Workflow Template
Run LiveResponses on Microsoft Defender for Endpoint - Workflow Template
QuickAction - Isolate or Release a Device on MS Defender Endpoint - Workflow Template
Did this answer your question?