Skip to main content

Poll for New Microsoft Defender for Endpoint Events for Cases - Workflow Template

Automatically pull new Microsoft Defender for Endpoint alerts on a schedule, then create cases with a field mapper.

Updated over 3 weeks ago

The "Poll for New Microsoft Defender for Endpoint Events for Cases" workflow template automates the process of monitoring and managing security alerts from Microsoft Defender for Endpoint. Scheduled to run at defined intervals, the workflow fetches new alerts via Microsoft Defender API, maps relevant alert fields to a customized case format, and creates an individual case for each detected alert. This streamlines the case management and incident response efforts, allowing businesses to swiftly identify, track, and respond to potential security threats within their network infrastructure.

Take Me to the Template

Use Cases

Case Management , Endpoint Detection and Response (EDR) , Threat Hunting

Workflow Breakdown

  1. Establish a checkpoint to mark accurate beginning and end times.

  2. Pull new alerts from Microsoft Defender API.

  3. Map alert fields to a predefined case layout.

  4. Create a case for each new alert.

Vendors

Utils, Microsoft Defender for Endpoint, Torq, Torq Cases

Workflow Output

A case is created for each new alert.

Tips

Related Articles
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template
Microsoft Defender for Endpoint
Initial Microsoft Defender for Endpoint Case Creation - Workflow Template
Poll for new SentinelOne Threats and Open a Torq Case - Workflow Template
Poll for new CrowdStrike Alerts and Open a Torq Case - Workflow Template
Did this answer your question?